I'm not sure if this may be of any utility value to anyone else, but, the
attached patch enables an environment variable to be provided to libpq to
specify where to find the SSL certificate/key files used for a secure
connection.
At the moment, if a user has multiple applications on a single machine
connecting with different SSL certificates, each process must be launched
by a different logical user and the certificates placed within that user's
home directory (and this is just for *nix, forget about Windows). The
current method is not scalable, either.
With the attached patch, the user just sets the environment variable e.g.
PGSQL_SSL_PATH=/home/test/cert_directory/app_1/ /usr/local/pgsql/bin/psql
-U postgres -h 127.0.0.1 -p 5432
PGSQL_SSL_PATH=/home/test/cert_directory/app_2/ /usr/local/pgsql/bin/psql
-U postgres -h 127.0.0.1 -p 5433
It follows the same existing conventions by looking for the actual
certificates within the .postgresql sub-directory of the provided path.
*Terence J. Ferraro*
--- a/postgresql-9.5.2/src/interfaces/libpq/fe-secure-openssl.c 2016-03-28
16:07:39.000000000 -0400
+++ b/postgresql-9.5.2/src/interfaces/libpq/fe-secure-openssl.c 2016-04-15
23:12:17.493355856 -0400
@@ -35,6 +35,7 @@
#else
#include <sys/socket.h>
#include <unistd.h>
+#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET_TCP_H
@@ -936,7 +937,14 @@
bool have_homedir;
bool have_cert;
EVP_PKEY *pkey = NULL;
-
+ char *custom_homedir;
+ bool have_custom_homedir;
+
+ custom_homedir = getenv("PGSQL_SSL_PATH");
+
+ if(custom_homedir == NULL) { have_custom_homedir = false; }
+ else { have_custom_homedir = true; }
+
/*
* We'll need the home directory if any of the relevant parameters are
* defaulted. If pqGetHomeDirectory fails, act as though none of the
@@ -953,6 +961,9 @@
/* Read the client certificate file */
if (conn->sslcert && strlen(conn->sslcert) > 0)
strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
+ /* ENV variable specified, load that certificate file */
+ else if (have_custom_homedir)
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", custom_homedir,
USER_CERT_FILE);
else if (have_homedir)
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir,
USER_CERT_FILE);
else
@@ -1146,6 +1157,11 @@
strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
}
}
+ else if (have_custom_homedir)
+ {
+ /* ENV variable specified, load that file */
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", custom_homedir,
USER_KEY_FILE);
+ }
else if (have_homedir)
{
/* No PGSSLKEY specified, load default file */
@@ -1207,6 +1223,8 @@
*/
if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
+ else if (have_custom_homedir)
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", custom_homedir,
ROOT_CERT_FILE);
else if (have_homedir)
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir,
ROOT_CERT_FILE);
else
@@ -1245,6 +1263,8 @@
{
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+ else if (have_custom_homedir)
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s",
custom_homedir, ROOT_CRL_FILE);
else if (have_homedir)
snprintf(fnbuf, sizeof(fnbuf), "%s/%s",
homedir, ROOT_CRL_FILE);
else
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
