Thread: pgsql: Add API functions to libpq to interrogate SSL related stuff.

pgsql: Add API functions to libpq to interrogate SSL related stuff.

From
Heikki Linnakangas
Date:
Add API functions to libpq to interrogate SSL related stuff.

This makes it possible to query for things like the SSL version and cipher
used, without depending on OpenSSL functions or macros. That is a good
thing if we ever get another SSL implementation.

PQgetssl() still works, but it should be considered as deprecated as it
only works with OpenSSL. In particular, PQgetSslInUse() should be used to
check if a connection uses SSL, because as soon as we have another
implementation, PQgetssl() will return NULL even if SSL is in use.

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/91fa7b4719ac583420d9143132ba4ccddefbc5b2

Modified Files
--------------
doc/src/sgml/libpq.sgml                  |  155 +++++++++++++++++++++++++++---
src/bin/psql/command.c                   |   35 +++----
src/interfaces/libpq/exports.txt         |    4 +
src/interfaces/libpq/fe-secure-openssl.c |   68 +++++++++++++
src/interfaces/libpq/fe-secure.c         |   20 ++++
src/interfaces/libpq/libpq-fe.h          |    6 ++
6 files changed, 251 insertions(+), 37 deletions(-)


Re: pgsql: Add API functions to libpq to interrogate SSL related stuff.

From
Tom Lane
Date:
Heikki Linnakangas <heikki.linnakangas@iki.fi> writes:
> Add API functions to libpq to interrogate SSL related stuff.

This patch is one large brick shy of a load: it creates exported libpq
functions but fails to ensure they always exist.  That's why jacana is
unhappy; though TBH I'm astonished that any non-ssl-enabled builds
are passing.  Apparently missing library functions are less of a hard
error on Linux than they ought to be.

I think probably the exported functions need to be defined in fe-exec.c
or fe-connect.c, with bodies along the lines of

#ifdef USE_OPENSSL
   call OpenSSL-specific function
#else
   return NULL
#endif

(or whatever's appropriate when no SSL support).  We do want these
functions to exist even in non-SSL-enabled builds.

            regards, tom lane