Re: Adding support for SSLKEYLOGFILE in the frontend
Jelte Fennema-Nio <postgres@jeltef.nl>
From: Jelte Fennema-Nio <postgres@jeltef.nl>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Daniel Gustafsson <daniel@yesql.se>,
Peter Eisentraut <peter@eisentraut.org>, Tom Lane <tgl@sss.pgh.pa.us>, Abhishek Chanda <abhishek.becs@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-20T13:11:12Z
Lists: pgsql-hackers
On Mon, 17 Mar 2025 at 16:48, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > On Sun, Mar 16, 2025 at 6:49 AM Daniel Gustafsson <daniel@yesql.se> wrote: > > IIRC the reasoning has been that if a rogue user can inject an environment > > variable into your session and read your files it's probably game over anyways. > > (Personally I'm no longer as convinced by this line of argument as I > once was...) I'm not saying there's no attack possible here (although I cannot think of one), but we allow configuring every other SSL option using an env var^1. So if there is an attack possible, why would that only apply to being able to control the sslkeylogfile as opposed to e.g. sslmode or sslrootcert. ^1 except for "sslpassword", which is weird because that seems exactly like one of the options you might not want to store in a connection string for security reasons.
Commits
-
Fix sslkeylogfile error handling logging
- a6c0bf93031d 19 (unreleased) landed
- 39f01083facd 18.0 landed
-
Mark sslkeylogfile as Debug option
- 2970c75dd982 18.0 landed
-
libpq: Add support for dumping SSL key material to file
- 2da74d8d6400 18.0 landed