I just submitted a patch to support SSL client certificates.
With this patch the Port structure is extended to include a
new field, 'peer', that contains the client certificate if
offered.
This patch also cleans up the SSL code. Most of this should
be invisible to users, with the exception of a new requirement
that private keys be regular files without world- or group-access,
a standard requirement for private keys. The patch should also
be much more secure with the addition of support for empheral DH
keys.
To use it, you must create a new client cert, e.g., with
openssl req -new -x509 -newkey rsa:1024 -keyout key.pem \ -nodes -out cert.pem -days 365
chmod go-rwx key.pem
then specify the location of these files with two environment
variables:
set PGCLIENTCERT=cert.pem; export PGCLIENTCERT set PGCLIENTKEY=key.pem; export PGCLIENTKEY
(or maybe libpq should just look in $HOME/.postgresql/..., similar
to how ssh(1) works.) The postmaster log should show something like
DEBUG: SSL connection from /DC=com/DC=example/CN=BearGiles/Email=bgiles@example.com with cipher EDH-RSA-DES-CBC3-SHA
(after restarting postmaster, obviously).
The patch description contains a brief discussion of other
issues (TLSv1, renegotiation, mapping client certs to users).
Bear
