Re: Adding support for SSLKEYLOGFILE in the frontend
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Álvaro Herrera <alvherre@alvh.no-ip.org>, Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
Jacob Champion <jacob.champion@enterprisedb.com>,
Abhishek Chanda <abhishek.becs@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-03-20T10:58:14Z
Lists: pgsql-hackers
On 20/03/2025 11:39, Álvaro Herrera wrote: > Hello, > > It seems there's rough consensus on proceeding with a connection param > and no environment variable. TBH it's not very clear to me that an > envvar is a great way to drive this, even if there weren't security > considerations at play, just considering the case of a multithreaded > program that opens two connections ... reading that log file is going to > be super fun. I believe the usual way to use SSLKEYLOGFILE is indeed to append all keys to the same file. That's how I use, at least. I'm not sure if openssl has some locking on it, but I've never had a problem with having data from different connections mixed up. The lines are not that long, it probably just relies on write(2) being atomic enough. -- Heikki Linnakangas Neon (https://neon.tech)
Commits
-
Fix sslkeylogfile error handling logging
- a6c0bf93031d 19 (unreleased) landed
- 39f01083facd 18.0 landed
-
Mark sslkeylogfile as Debug option
- 2970c75dd982 18.0 landed
-
libpq: Add support for dumping SSL key material to file
- 2da74d8d6400 18.0 landed