[pgpool-hackers: 3567] Re: Proposal: Support for SSL passphrase

Tatsuo Ishii ishii at sraoss.co.jp
Mon Mar 30 12:38:34 JST 2020


I have committed the patches with small modification. The regression
test is located in 072 in the patch, which is in the number range for
bug cases (050 or above). So I changed it to 029.

Also I have added a Japanese document as usual.

Again, thank you!

> Thanks. I will look into this.
> 
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
> 
>> Hi Hackers,
>> Please find attached test case for SSL Passphrase Support. A new
>> configuration variable is added 'ssl_passphrase_command'. External command
>> provided in this variable will be used to get passphrase to decrypt SSL
>> file(s). As mentioned in last email, If passphrase is required but not
>> provided using this configuration variable, PgPool will fail to load (
>> which is same behaviour as of now pgpool 4.1 ).
>> 
>> Patch Include:
>> 1. SSL Passphrase call backs implementation
>> 2. Test cases
>> 3. Documentation
>> 
>> Let me know, any feedback/suggestions, or any scenario that I have missed?
>> 
>> Regards,
>> Umar Hayat
>> Principle Software Engineer
>> EnterpriseDB: https://www.enterprisedb.com
>> 
>> 
>> 
>> On Fri, Mar 13, 2020 at 3:03 PM Umar Hayat <m.umarkiani at gmail.com> wrote:
>> 
>>> Hi Hackers,
>>> I am implementing  support of SSL passphrase feature for PgPool. If we
>>> comparing existing PostgreSQL and PgPool implementation of SSL (when
>>> passphrase is required) :
>>> PostgreSQL:
>>> On Server start,
>>> a) If 'ssl_passphrase_command' defined, It will register call back for
>>> external command provide
>>> b) otherwise it will register default, which is *prompting* user to input
>>> password
>>> On Reload Configuration,
>>> a) If 'ssl_passphrase_command' is defined and
>>> 'ssl_passphrase_command_supports_reload' is define, then use external
>>> command provided in 'ssl_passphrase_command'
>>> b) otherwise suppress prompt, and fail intentionally with dummy value.
>>>
>>> PgPool:
>>> a) Register dummy implementation and fails in all cases.
>>>
>>> My question is:
>>> Should we prompt for pass phrase in any case ? or user must provide
>>> password via 'ssl_passphrase_command' only. Any suggestions?
>>> If we should provide prompt, in which scenario ?
>>>
>>> At the moment, what I implemented is, No prompt in any case.
>>>
>>> Regards,
>>> Umar Hayat
>>> Principle Software Engineer
>>> EnterpriseDB: https://www.enterprisedb.com
>>>
>>>
>>>
>>>
> _______________________________________________
> pgpool-hackers mailing list
> pgpool-hackers at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-hackers


More information about the pgpool-hackers mailing list