Postgres Pro
Downloads
Home   >   mailing lists

Re: libpq sslpassword parameter and callback function - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: libpq sslpassword parameter and callback function
Date
Msg-id ce7881f6-bf37-7696-0f1f-e7f07eaaaaf5@2ndQuadrant.com
Whole thread Raw
In response to Re: libpq sslpassword parameter and callback function  (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
Responses Re: libpq sslpassword parameter and callback function  (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
List pgsql-hackers
Tree view 
On 10/31/19 7:27 PM, Andrew Dunstan wrote:
> On 10/31/19 6:34 PM, Andrew Dunstan wrote:
>> This time with attachment.
>>
>>
>> On 10/31/19 6:33 PM, Andrew Dunstan wrote:
>>> This patch provides for an sslpassword parameter for libpq, and a hook
>>> that a client can fill in for a callback function to set the password.
>>>
>>>
>>> This provides similar facilities to those already available in the JDBC
>>> driver.
>>>
>>>
>>> There is also a function to fetch the sslpassword from the connection
>>> parameters, in the same way that other settings can be fetched.
>>>
>>>
>>> This is mostly the excellent work of my colleague Craig Ringer, with a
>>> few embellishments from me.
>>>
>>>
>>> Here are his notes:
>>>
>>>
>>>     Allow libpq to non-interactively decrypt client certificates that
>>> are stored
>>>     encrypted by adding a new "sslpassword" connection option.
>>>    
>>>     The sslpassword option offers a middle ground between a cleartext
>>> key and
>>>     setting up advanced key mangement via openssl engines, PKCS#11, USB
>>> crypto
>>>     offload and key escrow, etc.
>>>    
>>>     Previously use of encrypted client certificate keys only worked if
>>> the user
>>>     could enter the key's password interactively on stdin, in response
>>> to openssl's
>>>     default prompt callback:
>>>    
>>>         Enter PEM passhprase:
>>>    
>>>     That's infesible in many situations, especially things like use from
>>>     postgres_fdw.
>>>    
>>>     This change also allows admins to prevent libpq from ever prompting
>>> for a
>>>     password by calling:
>>>    
>>>         PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook);
>>>    
>>>     which is useful since OpenSSL likes to open /dev/tty to prompt for a
>>> password,
>>>     so even closing stdin won't stop it blocking if there's no user
>>> input available.
>>>     Applications may also override or extend SSL password fetching with
>>> their own
>>>     callback.
>>>    
>>>     There is deliberately no environment variable equivalent for the
>>> sslpassword
>>>     option.
>>>
>>>
> I should also mention that this patch provides for support for DER
> format certificates and keys.
>
>


Here's an updated version of the patch, adjusted to the now committed
changes to TestLib.pm.


cheers


andrew


-- 

Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Attachment

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] WAL logging problem in 9.4.3?
Next
From: Phil Florent
Date:
Subject: RE: GROUPING SETS and SQL standard