Re: Adding support for SSLKEYLOGFILE in the frontend

Abhishek Chanda <abhishek.becs@gmail.com>

From: Abhishek Chanda <abhishek.becs@gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-hackers@postgresql.org, Daniel Gustafsson <daniel@yesql.se>
Date: 2025-01-10T03:59:21Z
Lists: pgsql-hackers

Attachments

Thanks for the feedback, everyone. Attached a followup with the
following changes compared to the initial version:

1. Converted sslkeylogfile to a connection parameter
2. Added a mechanism to chmod the key log file to 0600
3. Added docs and tests

I tested this manually. Also ran make check and make check-world
locally. Please let me know if this needs any other changes.

Thanks

On Thu, Jan 9, 2025 at 2:36 PM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
>
> On Wed, Jan 8, 2025 at 5:17 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > I think it might be safer if we only accepted it as a connection
> > parameter and not via an environment variable.
>
> Making it a connection parameter also keeps us from colliding with any
> other linked libraries' use of SSLKEYLOGFILE (I'm thinking about
> libcurl at the moment, but I think maybe NSS used it too?).
>
> --Jacob



-- 
Thanks and regards
Abhishek Chanda

Commits

  1. Fix sslkeylogfile error handling logging

  2. Mark sslkeylogfile as Debug option

  3. libpq: Add support for dumping SSL key material to file