Обсуждение: pgsql/src backend/libpq/be-secure.c include/li ...
pgsql/src backend/libpq/be-secure.c include/li ...
От
momjian@postgresql.org (Bruce Momjian - CVS)
Дата:
CVSROOT: /cvsroot
Module name: pgsql
Changes by: momjian@postgresql.org 02/06/14 00:36:58
Modified files:
src/backend/libpq: be-secure.c
src/include/libpq: libpq-be.h
src/interfaces/libpq: fe-secure.c
Log message:
SSL patch that adds support for optional client certificates.
If the user has certificates in $HOME/.postgresql/postgresql.crt
and $HOME/.postgresql/postgresql.key exist, they are provided
to the server. The certificate used to sign this cert must be
known to the server, in $DataDir/root.crt. If successful, the
cert's "common name" is logged.
Client certs are not used for authentication, but they could be
via the port->peer (X509 *), port->peer_dn (char *) or
port->peer_cn (char *) fields. Or any other function could be
used, e.g., many sites like the issuer + serial number hash.
Bear Giles
> If the user has certificates in $HOME/.postgresql/postgresql.crt > and $HOME/.postgresql/postgresql.key exist, they are provided > to the server. The certificate used to sign this cert must be > known to the server, in $DataDir/root.crt. If successful, the > cert's "common name" is logged. How about we put a script or Makefile in $datadir that eases the generation of a server cert and signing users...? Chris
Doh - looks like there's one in the ssl interfaces section... Chris > -----Original Message----- > From: pgsql-committers-owner@postgresql.org > [mailto:pgsql-committers-owner@postgresql.org]On Behalf Of Christopher > Kings-Lynne > Sent: Friday, 14 June 2002 12:51 PM > To: Bruce Momjian - CVS; pgsql-committers@postgresql.org > Subject: Re: [COMMITTERS] pgsql/src backend/libpq/be-secure.c include/li > ... > > > > If the user has certificates in $HOME/.postgresql/postgresql.crt > > and $HOME/.postgresql/postgresql.key exist, they are provided > > to the server. The certificate used to sign this cert must be > > known to the server, in $DataDir/root.crt. If successful, the > > cert's "common name" is logged. > > How about we put a script or Makefile in $datadir that eases the > generation > of a server cert and signing users...? > > Chris > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly >
Christopher Kings-Lynne wrote: > Doh - looks like there's one in the ssl interfaces section... Yes, I put the tools stuff in interfaces/ssl. Not sure what to do with it, though. No makfile supplied or anything. > > Chris > > > -----Original Message----- > > From: pgsql-committers-owner@postgresql.org > > [mailto:pgsql-committers-owner@postgresql.org]On Behalf Of Christopher > > Kings-Lynne > > Sent: Friday, 14 June 2002 12:51 PM > > To: Bruce Momjian - CVS; pgsql-committers@postgresql.org > > Subject: Re: [COMMITTERS] pgsql/src backend/libpq/be-secure.c include/li > > ... > > > > > > > If the user has certificates in $HOME/.postgresql/postgresql.crt > > > and $HOME/.postgresql/postgresql.key exist, they are provided > > > to the server. The certificate used to sign this cert must be > > > known to the server, in $DataDir/root.crt. If successful, the > > > cert's "common name" is logged. > > > > How about we put a script or Makefile in $datadir that eases the > > generation > > of a server cert and signing users...? > > > > Chris > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 3: if posting/reading through Usenet, please send an appropriate > > subscribe-nomail command to majordomo@postgresql.org so that your > > message can get through to the mailing list cleanly > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026