I had a requirement the other day to support a connection using an SSL Client certificate. I set this up, and it worked nicely. But there's a fly in the ointment. While the openssl libraries will ask for a pass phrase for the key file if required when running psql, this is not usable in other circumstances. pgAdminIII fails on it miserably, and so does a dblink connection. The first is especially important, because it makes the use of client certificates in fact quite dangerous when the client is a running on a laptop computer which is liable to be stolen. I actually have requirements to make both these cases work if possible.
ISTM we need to be able to supply a pass phrase to libpq (via the options?) which would allow libpq to call |SSL_CTX_set_default_passwd_cb_userdata or something similar which would allow the key file to be unlocked.
Thoughts? cheers andrew | -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
