| From: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: libpq sslpassword parameter and callback function |
| Date: | 2019-11-25 21:09:08 |
| Message-ID: | ce7881f6-bf37-7696-0f1f-e7f07eaaaaf5@2ndQuadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 10/31/19 7:27 PM, Andrew Dunstan wrote:
> On 10/31/19 6:34 PM, Andrew Dunstan wrote:
>> This time with attachment.
>>
>>
>> On 10/31/19 6:33 PM, Andrew Dunstan wrote:
>>> This patch provides for an sslpassword parameter for libpq, and a hook
>>> that a client can fill in for a callback function to set the password.
>>>
>>>
>>> This provides similar facilities to those already available in the JDBC
>>> driver.
>>>
>>>
>>> There is also a function to fetch the sslpassword from the connection
>>> parameters, in the same way that other settings can be fetched.
>>>
>>>
>>> This is mostly the excellent work of my colleague Craig Ringer, with a
>>> few embellishments from me.
>>>
>>>
>>> Here are his notes:
>>>
>>>
>>> Allow libpq to non-interactively decrypt client certificates that
>>> are stored
>>> encrypted by adding a new "sslpassword" connection option.
>>>
>>> The sslpassword option offers a middle ground between a cleartext
>>> key and
>>> setting up advanced key mangement via openssl engines, PKCS#11, USB
>>> crypto
>>> offload and key escrow, etc.
>>>
>>> Previously use of encrypted client certificate keys only worked if
>>> the user
>>> could enter the key's password interactively on stdin, in response
>>> to openssl's
>>> default prompt callback:
>>>
>>> Enter PEM passhprase:
>>>
>>> That's infesible in many situations, especially things like use from
>>> postgres_fdw.
>>>
>>> This change also allows admins to prevent libpq from ever prompting
>>> for a
>>> password by calling:
>>>
>>> PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook);
>>>
>>> which is useful since OpenSSL likes to open /dev/tty to prompt for a
>>> password,
>>> so even closing stdin won't stop it blocking if there's no user
>>> input available.
>>> Applications may also override or extend SSL password fetching with
>>> their own
>>> callback.
>>>
>>> There is deliberately no environment variable equivalent for the
>>> sslpassword
>>> option.
>>>
>>>
> I should also mention that this patch provides for support for DER
> format certificates and keys.
>
>
Here's an updated version of the patch, adjusted to the now committed
changes to TestLib.pm.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-libpq-sslpassword-and-DER-support.patch | text/x-patch | 27.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Phil Florent | 2019-11-25 21:18:00 | RE: GROUPING SETS and SQL standard |
| Previous Message | Robert Haas | 2019-11-25 20:58:14 | Re: [HACKERS] WAL logging problem in 9.4.3? |