Bug report: pgAdmin on Windows does not support password-protected private key
| От | Julien Picalausa |
|---|---|
| Тема | Bug report: pgAdmin on Windows does not support password-protected private key |
| Дата | |
| Msg-id | e959caaafc18001e4076355ce14219af@webmail.skydragoness.com обсуждение исходный текст |
| Список | pgadmin-support |
On windows, attempting to connect to a postgresql server requiring authentication via client certificate using a password protected private key results in the following error: --------------------------- pgAdmin III --------------------------- An error has occurred: Error connecting to the server: could not load private key file "X:\certificates\pgsql.key": problems getting password --------------------------- OK --------------------------- This was tested on Windows 7 64-bit, with both 1.18.1 and the recent 1.20 RC installed using the binary distribution from the official website. Reproduction steps: -Set up a postgresql server requiring ssl client certificates for establishing connection. -Generate client certificates and do -not- strip the password from the key. -In pgAdmin, Go to File > Add Server -Fill in Host, Port and Username to match the previously set up server. -Fill in the password field with the key password (or not, it doesn't matter) -In the SSL tab, provide the path to the client certificate and to the password protected key -Click OK Expected: Prompt for password (or password from the password field gets used if it was filled in) Actual: The dialog shown above pop up. I have performed some analysis of the issue and got to the following conclusion: In pgadmin/db/pgConn.cpp : After initializing the connection in PgCom::PgConn, pgConn::DoConnect is called.From there PQconnectdb from libpq-fe.h ( http://doxygen.postgresql.org/libpq-fe_8h.html#aadc241635050560f83175b32b54ea1ce ) is called. The key file is passed as is. Eventually, we end up in initialize_SSL ( http://doxygen.postgresql.org/fe-secure-openssl_8c.html#aca721300f7145e97baf7be0aab3d8ff5 ) where SSL_use_PrivateKey is called. Then openssl tries to open the private key. Since SSL_CTX_set_default_passwd_cb was not used, we end up in the default callback PEM_def_callback (in crypto/pem/pem_lib.c) In order to ask for a password, openssl tries to open the console (open_console in crypto/ui/ui_openssl.c) This fails since pgAdmin isn't attached to a console. Thus, PEM_def_callback fails with the "problems getting password"; initialize_SSL fails with "could not load private key file" and finally pgAdmin fails with "Error connecting to the server". Proposed solutions: If my analysis is correct (and I can't be sure it is, since it was performed with simple source inspection), there are two possible solutions to this: The nice one: Add support in libpq for passing a through a callback to OpenSSL via SSL_CTX_set_default_passwd_cb. This would allow pgAdmin to implement such a callback which either displays a password prompt or pass the password provided with the server info. The easy one: Simply calling AllocConsole ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms681944%28v=vs.85%29.aspx ) sometimes before calling PQconnectdb and then calling FreeConsole after the connection is established should allow OpenSSL to display its prompt if it needs to. Sadly, I don't have the time to set up my dev environment to compile pgAdmin, so I cannot confirm that those solutions are actually working. Still, I hope this preliminary work will help in getting the issue resolved quicker. Best regards, Julien Picalausa
В списке pgadmin-support по дате отправления: