From: | pgsql(at)mohawksoft(dot)com |
---|---|
To: | "Magnus Hagander" <magnus(at)hagander(dot)net> |
Cc: | pgsql(at)mohawksoft(dot)com, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: SSL and USER_CERT_FILE |
Date: | 2008-05-15 17:44:20 |
Message-ID: | 56886.24.60.196.157.1210873460.squirrel@mail.mohawksoft.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> pgsql(at)mohawksoft(dot)com wrote:
>> > pgsql(at)mohawksoft(dot)com writes:
>> >> Maybe we need to go even further and add it to the PQconnect API
>> >> sslkey=filename and sslcrt=filename in addition to sslmode?
>> >
>> > If there's a case to be made for this at all, it should be handled
>> > the same way as all other libpq connection parameters.
>> >
>> > regards, tom lane
>> >
>>
>> Here's the use case:
>>
>> I have an application that must connect to multiple PostgreSQL
>> databases and must use secure communications and the SSL keys are
>> under the control of the business units the administer the databases,
>> not me. In addition my application also communicates with other SSL
>> enabled versions of itself.
>>
>> I think you would agree that a hard coded immutable location for
>> "client" interface is problematic.
>
> I agree fully with the use-case. Most of the other things we allow both
> as connection parameters and as environment variables, so we should do
> that IMHO. What could be debated is if we should also somehow allow it
> to be specified in .pgpass for example?
>
I am testing a patch that is currently against the 8.2 series.
It implements in PQconnectdb(...)
sslmode=require sslkey=client.key sslcert=client.crt ssltrustcrt=certs.pem
sslcrl=crl.pem"
BTW: the revocation list probably never worked in the client.
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2008-05-15 17:48:40 | Re: libpq object hooks |
Previous Message | Andrew Dunstan | 2008-05-15 17:40:30 | Re: SSL and USER_CERT_FILE round 2 |