On 12.09.2013 17:30, Andrew Dunstan wrote:
On 09/12/2013 09:10 AM, Heikki Linnakangas wrote:
I just found out that OpenSSL has added support for SRP in version
1.0.1. We're already using OpenSSL, so all we need to do is to provide
a couple of callbacks to OpenSSL, and store SRP verifiers in pg_authid
instead of MD5 hashes, and we're golden.
Well, not quite. There's one little problem: Currently, we first
initialize SSL, then read the startup packet which contains the
username and database to connect to. After that, we initialize
database access to the specified database, and only then we proceed
with authentication. That's not a problem for certificate
authentication, because certificate authentication doesn't require any
database access, but if we are to store the SRP verifiers in
pg_authid, we'll need to database access much earlier. Before we know
which database to connect to.
You forgot to mention that we'd actually like to get away from being
tied closely to OpenSSL because it has caused license grief in the past
(not to mention that it's fairly dirty to manage).
Yeah. I've been looking more closely at the SRP API in OpenSSL; it's
completely undocumented. There are examples on the web and mailing lists
on how to use it, but no documentation. Hopefully that gets fixed
eventually.
GnuTLS also supports SRP. They even have documentation for it :-). The
API is slightly different than OpenSSL's, but not radically so. If we
are to start supporting multiple TLS libraries, we're going to need some
kind of a shim layer to abstract away the differences. Writing such a
shim for the SRP stuff wouldn't be much additional effort, once you have
the shim for all the other stuff in place.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
