Re: Adding support for SSLKEYLOGFILE in the frontend

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Tom Lane <tgl@sss.pgh.pa.us>, Abhishek Chanda <abhishek.becs@gmail.com>, Álvaro Herrera <alvherre@alvh.no-ip.org>
Date: 2025-04-09T18:45:06Z
Lists: pgsql-hackers
> On 9 Apr 2025, at 20:41, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
> 
> Hello,
> 
> On Thu, Apr 3, 2025 at 8:51 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>> Committed, after another round of testing and looking.
> 
> I think we may want to consider marking sslkeylogfile as a debug
> option (that is, opt->dispchar = "D") in fe-connect.c. Besides being a
> true "debug option", this would also prevent a relatively unprivileged
> user of postgres_fdw or dblink from logging the backend connection's
> keys. WDYT?

I think that sounds like a good idea, unless anyone thinks otherwise I'll go
ahead and make it so.

--
Daniel Gustafsson




Commits

  1. Fix sslkeylogfile error handling logging

  2. Mark sslkeylogfile as Debug option

  3. libpq: Add support for dumping SSL key material to file