Re: ssl passphrase callback

On Sun, Dec 8, 2019 at 9:02 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> writes:
> > Well that pretty much brings us back to the patch as submitted :-)
>
> Yeah, pretty nearly. Taking a quick look over the v3 patch, my
> only quibble is that it doesn't provide any convenient way for the
> external module to make decisions about how to interact with
> ssl_passphrase_command --- in particular, if it would like to allow
> that to take precedence, it can't because there's no way for it to
> invoke the static function ssl_external_passwd_cb.
>
> But rather than expose that globally, maybe the theory ought to be
> "set up the state as we'd normally do, then let loadable modules
> choose to override it". So I'm tempted to propose a hook function
> with the signature
>
> void openssl_tls_init_hook(SSL_CTX *context, bool isServerStart);
>
> and invoke that somewhere in be_tls_init --- maybe fairly late,
> so that it can override other settings if it wants, not only the
> SSL_CTX_set_default_passwd_cb setting.
>

Not sure if the placement is what you want, but maybe something like this?

cheers

andrew

--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services