| From: | "Robin Haberkorn" <haberkorn(at)b1-systems(dot)de> |
|---|---|
| To: | "Seth Robertson" <in-pgsql-hackers(at)baka(dot)org> |
| Cc: | "PostgreSQL-development" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Automatic client certificate selection support for libpq v1 |
| Date: | 2025-03-31 10:57:55 |
| Message-ID: | D8UECASI63GX.3RPP8VALHIIPV@b1-systems.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello everybody!
I was investigating the item "Allow automatic selection of SSL client
certificates from a certificate store" from the Todo list [1]. If I
understand Seth Robertson in his initial mail correctly, he wanted libpq to
select client certificates automatically based on the host while storing
several client certificates and keys in single crt and key files.
Client certs are currently loaded with SSL_CTX_use_certificate_chain_file()
in src/interfaces/libpq/fe-secure-openssl.c.
While it is theoretically possible to implement host-specific logic using
SSL_CTX_set_client_cert_cb(), I don't think you could store all
the possible certificates in a single file as you might actually already
need several certificates for a single host in the form of a certificate
chain. As was pointed out in the thread back then, you would have to
implement something like a certificate wallet/store from scratch.
At the most, Seth's initial patch could be improved by looking
up per-host client certificate/key files based on the host-reported
server name (SSL_get_servername()), which should be more reliable when
working with host aliases.
But then on the other hand, there are sslcert/sslkey connection parameters
since 8.4, which Seth was apparently aware of. As far as I understand,
he just wanted this patch for 8.3 as well and he didn't want to update
all of his existing programs. Considering that his initial mail was
written 16 years ago, I don't think this is a valid argument anymore.
It should be possible to adapt programs easily, e.g. by accepting
"postgresql://" URIs instead of domains and manually choosing appropriate
certificate/key filenames.
In my opinion there is little than can and should be done in Postgres
at this point. Or does anybody think, that a server-name-based certificate
file selection feature should still be implemented?
If yes, I would be happy to take care of it.
If not, I would suggest to remove this item from the agenda/wiki.
Best regards,
Robin Haberkorn
[1]: http://archives.postgresql.org/pgsql-hackers/2009-05/msg00406.php
--
Robin Haberkorn
Senior Software Engineer
Tel.: +49 157 85228715
E-Mail: haberkorn(at)b1-systems(dot)de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / https://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt, HRB 3537
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Yugo Nagata | 2025-03-31 11:00:57 | Prevent internal error at concurrent CREATE OR REPLACE FUNCTION |
| Previous Message | Yura Sokolov | 2025-03-31 10:42:01 | Re: Get rid of WALBufMappingLock |