Re: libpq sslpassword parameter and callback function
| От | Andrew Dunstan |
|---|---|
| Тема | Re: libpq sslpassword parameter and callback function |
| Дата | |
| Msg-id | 72c44d94-6ac6-d47c-9547-7423c7bf6f33@2ndQuadrant.com обсуждение исходный текст |
| Ответ на | Re: libpq sslpassword parameter and callback function (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>) |
| Ответы |
Re: libpq sslpassword parameter and callback function
Re: libpq sslpassword parameter and callback function |
| Список | pgsql-hackers |
On 10/31/19 6:34 PM, Andrew Dunstan wrote: > This time with attachment. > > > On 10/31/19 6:33 PM, Andrew Dunstan wrote: >> This patch provides for an sslpassword parameter for libpq, and a hook >> that a client can fill in for a callback function to set the password. >> >> >> This provides similar facilities to those already available in the JDBC >> driver. >> >> >> There is also a function to fetch the sslpassword from the connection >> parameters, in the same way that other settings can be fetched. >> >> >> This is mostly the excellent work of my colleague Craig Ringer, with a >> few embellishments from me. >> >> >> Here are his notes: >> >> >> Allow libpq to non-interactively decrypt client certificates that >> are stored >> encrypted by adding a new "sslpassword" connection option. >> >> The sslpassword option offers a middle ground between a cleartext >> key and >> setting up advanced key mangement via openssl engines, PKCS#11, USB >> crypto >> offload and key escrow, etc. >> >> Previously use of encrypted client certificate keys only worked if >> the user >> could enter the key's password interactively on stdin, in response >> to openssl's >> default prompt callback: >> >> Enter PEM passhprase: >> >> That's infesible in many situations, especially things like use from >> postgres_fdw. >> >> This change also allows admins to prevent libpq from ever prompting >> for a >> password by calling: >> >> PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook); >> >> which is useful since OpenSSL likes to open /dev/tty to prompt for a >> password, >> so even closing stdin won't stop it blocking if there's no user >> input available. >> Applications may also override or extend SSL password fetching with >> their own >> callback. >> >> There is deliberately no environment variable equivalent for the >> sslpassword >> option. >> >> I should also mention that this patch provides for support for DER format certificates and keys. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: