I had a requirement the other day to support a connection using an SSL
Client certificate. I set this up, and it worked nicely. But there's a
fly in the ointment. While the openssl libraries will ask for a pass
phrase for the key file if required when running psql, this is not
usable in other circumstances. pgAdminIII fails on it miserably, and so
does a dblink connection. The first is especially important, because it
makes the use of client certificates in fact quite dangerous when the
client is a running on a laptop computer which is liable to be stolen. I
actually have requirements to make both these cases work if possible.
ISTM we need to be able to supply a pass phrase to libpq (via the
options?) which would allow libpq to call
|SSL_CTX_set_default_passwd_cb_userdata or something similar which would
allow the key file to be unlocked.
Thoughts?
cheers
andrew
|