Home > mailing lists

A successor for PQgetssl - Mailing list pgsql-hackers

From	Martijn van Oosterhout
Subject	A successor for PQgetssl
Date	April 16, 2006 17:40:26
Msg-id	20060416204020.GE6591@svana.org Whole thread Raw
Responses	Re: A successor for PQgetssl
List	pgsql-hackers

Tree view

There was some discussion about the issues relating to using other SSL
libraries. In a nutshell, it came down to that we couldn't return
anything other than an OpenSSL pointer from PQgetssl because existing
programs simply wouldn't know what to do with it.

So, I was pondering what we might want from an alternative. What I've
come up with is the following:

PGresult *PQgettlsinfo(PGconn *conn);

Now, other than for the first time giving users access to the
information like peer DN and CN, it also provides some other
information they might want. And it's done in a way that's extensible.

Do people like this idea?

Note, I don't return a pointer to the GnuTLS session anywhere. I think
that's a bad idea all round and we need to provide another way for
programs to acheive the same effect.

The thing is, it could be extended to include almost anything. One
example would be if the user authenticated using kerberos, we could add
a few rows indicating that. I suppose you would call it
PQgetconninfo().

Thoughts?

*** PostgreSQL with GnuTLS

I've got it almost completely working and have tested interoperability.
You can find it here:

http://svana.org/kleptog/temp/gnutls.patch

The patch does the following:

- Adds configure stuff for gnutls so it checks for the libraries when
you specify --with-gnutls. You may need to run autoconf and autoheader
after patching.

- Both fe-secure.c and be-secure.c have been made TLS library agnostic.
They only refer to functions that implement TLS specific stuff which
are implemented in the files:

src/interfaces/libpq/fe-secure-openssl.c
src/interfaces/libpq/fe-secure-gnutls.c
src/backend/libpq/be-secure-openssl.c
src/backend/libpq/be-secure-gnutls.c

The makefile determines which (if either) is linked in.

- Implements the PQgettlsinfo() as described above and alters psql to
use it. Hence psql is now also TLS library agnostic.

Differences between the two implementations are:

- GnuTLS generates the DH key on the fly on server start, which takes a
few seconds. The OpenSSL versions use hardcoded keys which can be
overridden by the user. Not sure which is best here.

- This breaks psqlODBC when it uses libpq because it wants to use OpenSSL
and when libpq is compiled with GnuTLS that obviously won't work.
Recent thread on -hackers found no resolution for this problem.

- Both support authentication of the server and authentication of the
client, though more testing is need to test all the different
combinations of keys and certificates that are allowed.

- Different output for PQgettlsinfo()

That about it. There's no real difference from the users point of view,
it Just Works either way. In the future we may be able to use the PGP
support in GnuTLS. In other words, provide the server with a pgp
keyring and it accepts any user which a matching key in the keyring.

I hope to post of -patches sometime soon, once some of the kinks have
been ironed out.

Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

pgsql-hackers by date:

From: Martijn van Oosterhout
Date: 16 April 2006, 17:29:22
Subject: Re: Regrading TODO item alerting pg_hba.conf from SQL

From: Tom Lane
Date: 16 April 2006, 17:45:04
Subject: Re: Is full_page_writes=off safe in conjunction with

A successor for PQgetssl - Mailing list pgsql-hackers

Previous

Next