Re: pgsql/src backend/libpq/be-secure.c include/li ...

CVSROOT: /cvsroot
Module name: pgsql
Changes by: momjian(at)postgresql(dot)org 02/06/14 00:36:58

Modified files:
src/backend/libpq: be-secure.c
src/include/libpq: libpq-be.h
src/interfaces/libpq: fe-secure.c

Log message:
SSL patch that adds support for optional client certificates.

If the user has certificates in $HOME/.postgresql/postgresql.crt
and $HOME/.postgresql/postgresql.key exist, they are provided
to the server. The certificate used to sign this cert must be
known to the server, in $DataDir/root.crt. If successful, the
cert's "common name" is logged.

Client certs are not used for authentication, but they could be
via the port->peer (X509 *), port->peer_dn (char *) or
port->peer_cn (char *) fields. Or any other function could be
used, e.g., many sites like the issuer + serial number hash.

Bear Giles

> If the user has certificates in $HOME/.postgresql/postgresql.crt
> and $HOME/.postgresql/postgresql.key exist, they are provided
> to the server. The certificate used to sign this cert must be
> known to the server, in $DataDir/root.crt. If successful, the
> cert's "common name" is logged.

How about we put a script or Makefile in $datadir that eases the generation
of a server cert and signing users...?

Chris

Doh - looks like there's one in the ssl interfaces section...

Chris

> -----Original Message-----
> From: pgsql-committers-owner(at)postgresql(dot)org
> [mailto:pgsql-committers-owner(at)postgresql(dot)org]On Behalf Of Christopher
> Kings-Lynne
> Sent: Friday, 14 June 2002 12:51 PM
> To: Bruce Momjian - CVS; pgsql-committers(at)postgresql(dot)org
> Subject: Re: [COMMITTERS] pgsql/src backend/libpq/be-secure.c include/li
> ...
>
>
> > If the user has certificates in $HOME/.postgresql/postgresql.crt
> > and $HOME/.postgresql/postgresql.key exist, they are provided
> > to the server. The certificate used to sign this cert must be
> > known to the server, in $DataDir/root.crt. If successful, the
> > cert's "common name" is logged.
>
> How about we put a script or Makefile in $datadir that eases the
> generation
> of a server cert and signing users...?
>
> Chris
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>

Christopher Kings-Lynne wrote:
> Doh - looks like there's one in the ssl interfaces section...

Yes, I put the tools stuff in interfaces/ssl. Not sure what to do with
it, though. No makfile supplied or anything.

>
> Chris
>
> > -----Original Message-----
> > From: pgsql-committers-owner(at)postgresql(dot)org
> > [mailto:pgsql-committers-owner(at)postgresql(dot)org]On Behalf Of Christopher
> > Kings-Lynne
> > Sent: Friday, 14 June 2002 12:51 PM
> > To: Bruce Momjian - CVS; pgsql-committers(at)postgresql(dot)org
> > Subject: Re: [COMMITTERS] pgsql/src backend/libpq/be-secure.c include/li
> > ...
> >
> >
> > > If the user has certificates in $HOME/.postgresql/postgresql.crt
> > > and $HOME/.postgresql/postgresql.key exist, they are provided
> > > to the server. The certificate used to sign this cert must be
> > > known to the server, in $DataDir/root.crt. If successful, the
> > > cert's "common name" is logged.
> >
> > How about we put a script or Makefile in $datadir that eases the
> > generation
> > of a server cert and signing users...?
> >
> > Chris
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 3: if posting/reading through Usenet, please send an appropriate
> > subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> > message can get through to the mailing list cleanly
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026