Re: Adding support for SSLKEYLOGFILE in the frontend

Jelte Fennema-Nio <postgres@jeltef.nl>

From: Jelte Fennema-Nio <postgres@jeltef.nl>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, Peter Eisentraut <peter@eisentraut.org>, Tom Lane <tgl@sss.pgh.pa.us>, Abhishek Chanda <abhishek.becs@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-20T13:11:12Z
Lists: pgsql-hackers
On Mon, 17 Mar 2025 at 16:48, Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
>
> On Sun, Mar 16, 2025 at 6:49 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> > IIRC the reasoning has been that if a rogue user can inject an environment
> > variable into your session and read your files it's probably game over anyways.
>
> (Personally I'm no longer as convinced by this line of argument as I
> once was...)

I'm not saying there's no attack possible here (although I cannot
think of one), but we allow configuring every other SSL option using
an env var^1. So if there is an attack possible, why would that only
apply to being able to control the sslkeylogfile as opposed to e.g.
sslmode or sslrootcert.

^1 except for "sslpassword", which is weird because that seems exactly
like one of the options you might not want to store in a connection
string for security reasons.



Commits

  1. Fix sslkeylogfile error handling logging

  2. Mark sslkeylogfile as Debug option

  3. libpq: Add support for dumping SSL key material to file