* Heikki Linnakangas (hlinnakan...@vmware.com) wrote: > server_cert_valid: Did the server present a valid certificate? > "yes" or "no" > > server_cert_matches_host: Does the Common Name of the certificate > match the host connected to? "yes" or "no"
Aren't these questions addressed by sslmode? > Exposing the SSL information as generic key/value pairs allows > adding more attributes in the future, without breaking the ABI, and > it also allows exposing implementation-specific information in a > generic way. The attributes listed above cover the needs of psql. > What else do we need? At first blush, I'd say a whole bunch.. Off the top of my head I can think of: For all certificates: (client, server, cert that signed each, any intermediate CAs, root CAs) Certificate itself (perhaps in DER, PEM, X509 formats..) Fingerprint Signed-By info Common Name Organization (et al) Alternate names Issue date, expiration date CRL info, OCSP info Allowed usage (encryption, signing, etc) CRL checking done? OCSP used? > I think it would also be nice to get more information from the > server's certificate, like the hostname and the organization its > issued to, and expiration date, so that an interactive client like > pgAdmin or even psql could display that information like a web > browser does. Would it be best to add those as extra attributes in > the above list, perhaps with a "server_cert_*" prefix, or add a new > function for extracting server cert's attributes? This really shouldn't be for *just* the server's certificate but rather available for all certificates involved- on both sides. > The other question is: What do we do with PQgetssl()? We should > document it as deprecated, but we'll have to keep it around for the > foreseeable future for backwards-compatibility. We obviously cannot > return a valid OpenSSL struct when using any other implementation, > so I think it'll have to just return NULL when not using OpenSSL. > Probably the most common use of PQgetssl() is to just check if it > returns NULL or not, to determine if SSL is enabled, so a client > that does that would incorrectly think that SSL is not used, even > when it is. I think we can live with that. That's not ideal, but the only other option I can think of offhand is to break the existing API and force everyone to update and that seems worse. Have you looked at how this change will play out with the ODBC driver..? Especially on Windows with the SSL library you're proposing we use there.. I recall that at one point the ODBC driver simply used libpq to handle the authentication and set everything up, and then switched to talking directly without libpq. In any case, it'd probably be good to make sure the attributes you're suggesting are sufficient to meet the needs of the ODBC driver too. Thanks, Stephen
Description: Digital signature