On Wed, 6 Dec 2023 at 08:32, Chris Angelico <[email protected]> wrote: > > On Wed, 6 Dec 2023 at 05:10, Chris Angelico <[email protected]> wrote: > > Sound good? I'll try to put together an implementation, although I'm > > not sure there's a viable way to add tests for it. > > > > In working on the implementation, I'm running into some trouble with > SSL connections in general. As of Pike 8.1, the pgsql module uses > Shuffler (this wasn't the case in Pike 8.0, but for unrelated reasons > I'm not able to build Pike 8.0 on here at the moment). Non-SSL > connections are fine, but SSL ones run into a problem due to sendcmd() > calling shuffle->add_source(this) early in connectloop(), before the > shuffler is created down below. Can anyone confirm whether or not Pike > 9.0 is able to establish SSL encrypted connections in this way? >
Welp. Over the past few days, I have learned: 1. I don't know much about SSL's internals. 2. I REALLY don't know much about SSL's internals. 3. It's surprisingly hard to find tools that can help you debug client certificates. Anyhow. I've created the branch rosuav/pgsql-ssl for this. Can someone review it please? Particularly with respect to the "DEBUG HACK" commit there, where I ripped out all of the Shuffler code and just went straight to the Stdio.Buffer; there's a lot going on with the Shuffler and I'm sure there's a way better way to make this work, but I wasn't able to figure that out. But the upshot is that I was able to connect to PostgreSQL with a client cert, and get authenticated! Here's the script I used for testing: https://github.com/Rosuav/StilleBot/blob/master/pgssl.pike https://github.com/Rosuav/StilleBot/blob/master/sslport.pike (mini server to show certs) To get things to work, I had to force the Context to return a certificate (done with subclassing here), and for the mini server, I had to add the root cert to the end of the chain. More things that I don't fully understand. But after 48 hours with Wireshark, I've come to the conclusion that, if it works, it works... If anyone has time to read over this and weigh in, I would very much appreciate it! ChrisA
