Обсуждение: ssl-info, enforcing list of common-names
Hi -
A couple things. I noticed that these two functions return NULL (or empty
string):
select ssl_issuer_dn();
select ssl_client_dn();
However, I can get specific fields:
select '/CN=' || ssl_issuer_field('commonName')
|| '/C=' || ssl_issuer_field('countryName')
|| '/O=' || ssl_issuer_field('organizationName')
;
--returns "/CN=UW Services CA/C=US/O=University of Washington"
I'm thinking of using an authorization scheme in which I check a list of
valid certificate common-names, and, if the current client has no cert or
is not in the list, they have no access (maybe force a logout). Is this
feasable and/or advisable? I'll only have a single trusted CA.
Any help is appreciated!
thanks,
--craig
Would someone please reply this question.
---------------------------------------------------------------------------
Craig Perras wrote:
> Hi -
>
> A couple things. I noticed that these two functions return NULL (or empty
> string):
>
> select ssl_issuer_dn();
> select ssl_client_dn();
>
> However, I can get specific fields:
>
> select '/CN=' || ssl_issuer_field('commonName')
> || '/C=' || ssl_issuer_field('countryName')
> || '/O=' || ssl_issuer_field('organizationName')
> ;
>
> --returns "/CN=UW Services CA/C=US/O=University of Washington"
>
> I'm thinking of using an authorization scheme in which I check a list of
> valid certificate common-names, and, if the current client has no cert or
> is not in the list, they have no access (maybe force a logout). Is this
> feasable and/or advisable? I'll only have a single trusted CA.
>
> Any help is appreciated!
>
> thanks,
> --craig
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +