Re: ssl passphrase callback

Andrew Dunstan <andrew.dunstan@2ndquadrant.com>

From: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, Bruce Momjian <bruce@momjian.us>, Magnus Hagander <magnus@hagander.net>, Tomas Vondra <tomas.vondra@2ndquadrant.com>, Simon Riggs <simon@2ndquadrant.com>, Robert Haas <robertmhaas@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-22T07:02:01Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Provide a TLS init hook

Attachments

On Sun, Dec 8, 2019 at 9:02 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> > Well that pretty much brings us back to the patch as submitted :-)
>
> Yeah, pretty nearly.  Taking a quick look over the v3 patch, my
> only quibble is that it doesn't provide any convenient way for the
> external module to make decisions about how to interact with
> ssl_passphrase_command --- in particular, if it would like to allow
> that to take precedence, it can't because there's no way for it to
> invoke the static function ssl_external_passwd_cb.
>
> But rather than expose that globally, maybe the theory ought to be
> "set up the state as we'd normally do, then let loadable modules
> choose to override it".  So I'm tempted to propose a hook function
> with the signature
>
> void openssl_tls_init_hook(SSL_CTX *context, bool isServerStart);
>
> and invoke that somewhere in be_tls_init --- maybe fairly late,
> so that it can override other settings if it wants, not only the
> SSL_CTX_set_default_passwd_cb setting.
>


Not sure if the placement is what you want, but maybe something like this?

cheers

andrew


-- 
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services