[pgpool-hackers: 138] Re: SSL mutual authentication (with patch)
Tatsuo Ishii
ishii at postgresql.org
Fri Oct 5 17:55:54 JST 2012
Thank you for the patch.
I am not an expert on SSL, so I would love to hear from others on the list.
If we could agree this is a good thing, the patch will be merged in to 3.3.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> We recently encountered a problem using pgpool with mutual
> authentication between a
> client (pgpool) and a server (postgres). We determined that the problem
> was due to pgpool
> not loading client certificates & private keys when connecting to a
> backend - while pgpool loaded
> a CA certificate to authenticate the backend, it did not provide its own
> credentials to said backend.
>
> We were unsure whether or not this was a deliberate omission, and so we
> changed the pgpool
> codebase to allow for mutual authentication. The changes provide for
> additional per-backend
> configuration directives to set certificates, keys, etc. These
> directives are then used when configuring
> the OpenSSL context.
>
> I have attached a patch against Git revision
> 3f89a334fe08dfcd199d9e45728a04ddb1d2ec85.
>
> Cheers,
> Warren Armstrong
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBs6rsACgkQIZlA5/+bUwn3eQCgjtbapglXoRX/jPle4aMeDOzu
> 3moAoJC9eqIBVAI+Nm1UtwApuHnKWFyR
> =SFLK
> -----END PGP SIGNATURE-----
>
More information about the pgpool-hackers
mailing list