On 10/31/19 7:27 PM, Andrew Dunstan wrote:
> On 10/31/19 6:34 PM, Andrew Dunstan wrote:
>> This time with attachment.
>>
>>
>> On 10/31/19 6:33 PM, Andrew Dunstan wrote:
>>> This patch provides for an sslpassword parameter for libpq, and a hook
>>> that a client can fill in for a callback function to set the password.
>>>
>>>
>>> This provides similar facilities to those already available in the JDBC
>>> driver.
>>>
>>>
>>> There is also a function to fetch the sslpassword from the connection
>>> parameters, in the same way that other settings can be fetched.
>>>
>>>
>>> This is mostly the excellent work of my colleague Craig Ringer, with a
>>> few embellishments from me.
>>>
>>>
>>> Here are his notes:
>>>
>>>
>>> Allow libpq to non-interactively decrypt client certificates that
>>> are stored
>>> encrypted by adding a new "sslpassword" connection option.
>>>
>>> The sslpassword option offers a middle ground between a cleartext
>>> key and
>>> setting up advanced key mangement via openssl engines, PKCS#11, USB
>>> crypto
>>> offload and key escrow, etc.
>>>
>>> Previously use of encrypted client certificate keys only worked if
>>> the user
>>> could enter the key's password interactively on stdin, in response
>>> to openssl's
>>> default prompt callback:
>>>
>>> Enter PEM passhprase:
>>>
>>> That's infesible in many situations, especially things like use from
>>> postgres_fdw.
>>>
>>> This change also allows admins to prevent libpq from ever prompting
>>> for a
>>> password by calling:
>>>
>>> PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook);
>>>
>>> which is useful since OpenSSL likes to open /dev/tty to prompt for a
>>> password,
>>> so even closing stdin won't stop it blocking if there's no user
>>> input available.
>>> Applications may also override or extend SSL password fetching with
>>> their own
>>> callback.
>>>
>>> There is deliberately no environment variable equivalent for the
>>> sslpassword
>>> option.
>>>
>>>
> I should also mention that this patch provides for support for DER
> format certificates and keys.
>
>
Here's an updated version of the patch, adjusted to the now committed
changes to TestLib.pm.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services