[pgpool-hackers: 3569] Re: Proposal: Support for SSL passphrase

Tatsuo Ishii ishii at sraoss.co.jp
Wed Apr 1 13:57:53 JST 2020


Hi Umar,

Unfortunately the build farm is failing on the new
029.cert_passphrase. Can you please take a look at this?

> I have committed the patches with small modification. The regression
> test is located in 072 in the patch, which is in the number range for
> bug cases (050 or above). So I changed it to 029.
> 
> Also I have added a Japanese document as usual.
> 
> Again, thank you!
> 
>> Thanks. I will look into this.
>> 
>> Best regards,
>> --
>> Tatsuo Ishii
>> SRA OSS, Inc. Japan
>> English: http://www.sraoss.co.jp/index_en.php
>> Japanese:http://www.sraoss.co.jp
>> 
>>> Hi Hackers,
>>> Please find attached test case for SSL Passphrase Support. A new
>>> configuration variable is added 'ssl_passphrase_command'. External command
>>> provided in this variable will be used to get passphrase to decrypt SSL
>>> file(s). As mentioned in last email, If passphrase is required but not
>>> provided using this configuration variable, PgPool will fail to load (
>>> which is same behaviour as of now pgpool 4.1 ).
>>> 
>>> Patch Include:
>>> 1. SSL Passphrase call backs implementation
>>> 2. Test cases
>>> 3. Documentation
>>> 
>>> Let me know, any feedback/suggestions, or any scenario that I have missed?
>>> 
>>> Regards,
>>> Umar Hayat
>>> Principle Software Engineer
>>> EnterpriseDB: https://www.enterprisedb.com
>>> 
>>> 
>>> 
>>> On Fri, Mar 13, 2020 at 3:03 PM Umar Hayat <m.umarkiani at gmail.com> wrote:
>>> 
>>>> Hi Hackers,
>>>> I am implementing  support of SSL passphrase feature for PgPool. If we
>>>> comparing existing PostgreSQL and PgPool implementation of SSL (when
>>>> passphrase is required) :
>>>> PostgreSQL:
>>>> On Server start,
>>>> a) If 'ssl_passphrase_command' defined, It will register call back for
>>>> external command provide
>>>> b) otherwise it will register default, which is *prompting* user to input
>>>> password
>>>> On Reload Configuration,
>>>> a) If 'ssl_passphrase_command' is defined and
>>>> 'ssl_passphrase_command_supports_reload' is define, then use external
>>>> command provided in 'ssl_passphrase_command'
>>>> b) otherwise suppress prompt, and fail intentionally with dummy value.
>>>>
>>>> PgPool:
>>>> a) Register dummy implementation and fails in all cases.
>>>>
>>>> My question is:
>>>> Should we prompt for pass phrase in any case ? or user must provide
>>>> password via 'ssl_passphrase_command' only. Any suggestions?
>>>> If we should provide prompt, in which scenario ?
>>>>
>>>> At the moment, what I implemented is, No prompt in any case.
>>>>
>>>> Regards,
>>>> Umar Hayat
>>>> Principle Software Engineer
>>>> EnterpriseDB: https://www.enterprisedb.com
>>>>
>>>>
>>>>
>>>>
>> _______________________________________________
>> pgpool-hackers mailing list
>> pgpool-hackers at pgpool.net
>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> _______________________________________________
> pgpool-hackers mailing list
> pgpool-hackers at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-hackers


More information about the pgpool-hackers mailing list