On windows, attempting to connect to a postgresql server requiring
authentication via client certificate using a password protected private
key results in the following error:
---------------------------
pgAdmin III
---------------------------
An error has occurred:
Error connecting to the server: could not load private key file
"X:\certificates\pgsql.key": problems getting password
---------------------------
OK
---------------------------
This was tested on Windows 7 64-bit, with both 1.18.1 and the recent
1.20 RC installed using the binary distribution from the official
website.
Reproduction steps:
-Set up a postgresql server requiring ssl client certificates for
establishing connection.
-Generate client certificates and do -not- strip the password from the
key.
-In pgAdmin, Go to File > Add Server
-Fill in Host, Port and Username to match the previously set up server.
-Fill in the password field with the key password (or not, it doesn't
matter)
-In the SSL tab, provide the path to the client certificate and to the
password protected key
-Click OK
Expected: Prompt for password (or password from the password field gets
used if it was filled in)
Actual: The dialog shown above pop up.
I have performed some analysis of the issue and got to the following
conclusion:
In pgadmin/db/pgConn.cpp : After initializing the connection in
PgCom::PgConn, pgConn::DoConnect is called.
From there PQconnectdb from libpq-fe.h (
http://doxygen.postgresql.org/libpq-fe_8h.html#aadc241635050560f83175b32b54ea1ce
) is called. The key file is passed as is.
Eventually, we end up in initialize_SSL (
http://doxygen.postgresql.org/fe-secure-openssl_8c.html#aca721300f7145e97baf7be0aab3d8ff5
) where SSL_use_PrivateKey is called.
Then openssl tries to open the private key. Since
SSL_CTX_set_default_passwd_cb was not used, we end up in the default
callback PEM_def_callback (in crypto/pem/pem_lib.c)
In order to ask for a password, openssl tries to open the console
(open_console in crypto/ui/ui_openssl.c)
This fails since pgAdmin isn't attached to a console.
Thus, PEM_def_callback fails with the "problems getting password";
initialize_SSL fails with "could not load private key file" and finally
pgAdmin fails with "Error connecting to the server".
Proposed solutions:
If my analysis is correct (and I can't be sure it is, since it was
performed with simple source inspection), there are two possible
solutions to this:
The nice one: Add support in libpq for passing a through a callback to
OpenSSL via SSL_CTX_set_default_passwd_cb. This would allow pgAdmin to
implement such a callback which either displays a password prompt or
pass the password provided with the server info.
The easy one: Simply calling AllocConsole (
http://msdn.microsoft.com/en-us/library/windows/desktop/ms681944%28v=vs.85%29.aspx
) sometimes before calling PQconnectdb and then calling FreeConsole
after the connection is established should allow OpenSSL to display its
prompt if it needs to.
Sadly, I don't have the time to set up my dev environment to compile
pgAdmin, so I cannot confirm that those solutions are actually working.
Still, I hope this preliminary work will help in getting the issue
resolved quicker.
Best regards,
Julien Picalausa
--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support
