Postgres Pro
Downloads
Home   >   mailing lists

Re: libpq sslpassword parameter and callback function - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: libpq sslpassword parameter and callback function
Date
Msg-id 72c44d94-6ac6-d47c-9547-7423c7bf6f33@2ndQuadrant.com
Whole thread Raw
In response to Re: libpq sslpassword parameter and callback function  (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
Responses Re: libpq sslpassword parameter and callback function  (Craig Ringer <craig@2ndquadrant.com>)
Re: libpq sslpassword parameter and callback function  (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
List pgsql-hackers
Tree view 
On 10/31/19 6:34 PM, Andrew Dunstan wrote:
> This time with attachment.
>
>
> On 10/31/19 6:33 PM, Andrew Dunstan wrote:
>> This patch provides for an sslpassword parameter for libpq, and a hook
>> that a client can fill in for a callback function to set the password.
>>
>>
>> This provides similar facilities to those already available in the JDBC
>> driver.
>>
>>
>> There is also a function to fetch the sslpassword from the connection
>> parameters, in the same way that other settings can be fetched.
>>
>>
>> This is mostly the excellent work of my colleague Craig Ringer, with a
>> few embellishments from me.
>>
>>
>> Here are his notes:
>>
>>
>>     Allow libpq to non-interactively decrypt client certificates that
>> are stored
>>     encrypted by adding a new "sslpassword" connection option.
>>    
>>     The sslpassword option offers a middle ground between a cleartext
>> key and
>>     setting up advanced key mangement via openssl engines, PKCS#11, USB
>> crypto
>>     offload and key escrow, etc.
>>    
>>     Previously use of encrypted client certificate keys only worked if
>> the user
>>     could enter the key's password interactively on stdin, in response
>> to openssl's
>>     default prompt callback:
>>    
>>         Enter PEM passhprase:
>>    
>>     That's infesible in many situations, especially things like use from
>>     postgres_fdw.
>>    
>>     This change also allows admins to prevent libpq from ever prompting
>> for a
>>     password by calling:
>>    
>>         PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook);
>>    
>>     which is useful since OpenSSL likes to open /dev/tty to prompt for a
>> password,
>>     so even closing stdin won't stop it blocking if there's no user
>> input available.
>>     Applications may also override or extend SSL password fetching with
>> their own
>>     callback.
>>    
>>     There is deliberately no environment variable equivalent for the
>> sslpassword
>>     option.
>>
>>

I should also mention that this patch provides for support for DER
format certificates and keys.


cheers


andrew


-- 
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

pgsql-hackers by date:

Previous
From: Thomas Munro
Date:
Subject: A wiki page to track hash join projects and ideas
Next
From: Andres Freund
Date:
Subject: Re: merging HashJoin and Hash nodes