Re: Adding support for SSLKEYLOGFILE in the frontend

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Álvaro Herrera <alvherre@alvh.no-ip.org>, Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Jacob Champion <jacob.champion@enterprisedb.com>, Abhishek Chanda <abhishek.becs@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-20T10:58:14Z
Lists: pgsql-hackers
On 20/03/2025 11:39, Álvaro Herrera wrote:
> Hello,
> 
> It seems there's rough consensus on proceeding with a connection param
> and no environment variable.  TBH it's not very clear to me that an
> envvar is a great way to drive this, even if there weren't security
> considerations at play, just considering the case of a multithreaded
> program that opens two connections ... reading that log file is going to
> be super fun.

I believe the usual way to use SSLKEYLOGFILE is indeed to append all 
keys to the same file. That's how I use, at least. I'm not sure if 
openssl has some locking on it, but I've never had a problem with having 
data from different connections mixed up. The lines are not that long, 
it probably just relies on write(2) being atomic enough.

-- 
Heikki Linnakangas
Neon (https://neon.tech)




Commits

  1. Fix sslkeylogfile error handling logging

  2. Mark sslkeylogfile as Debug option

  3. libpq: Add support for dumping SSL key material to file