[pgpool-hackers: 3566] Re: Proposal: Support for SSL passphrase

Tatsuo Ishii ishii at sraoss.co.jp
Fri Mar 27 09:57:52 JST 2020 

Thanks. I will look into this.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

> Hi Hackers,
> Please find attached test case for SSL Passphrase Support. A new
> configuration variable is added 'ssl_passphrase_command'. External command
> provided in this variable will be used to get passphrase to decrypt SSL
> file(s). As mentioned in last email, If passphrase is required but not
> provided using this configuration variable, PgPool will fail to load (
> which is same behaviour as of now pgpool 4.1 ).
> 
> Patch Include:
> 1. SSL Passphrase call backs implementation
> 2. Test cases
> 3. Documentation
> 
> Let me know, any feedback/suggestions, or any scenario that I have missed?
> 
> Regards,
> Umar Hayat
> Principle Software Engineer
> EnterpriseDB: https://www.enterprisedb.com
> 
> 
> 
> On Fri, Mar 13, 2020 at 3:03 PM Umar Hayat <m.umarkiani at gmail.com> wrote:
> 
>> Hi Hackers,
>> I am implementing  support of SSL passphrase feature for PgPool. If we
>> comparing existing PostgreSQL and PgPool implementation of SSL (when
>> passphrase is required) :
>> PostgreSQL:
>> On Server start,
>> a) If 'ssl_passphrase_command' defined, It will register call back for
>> external command provide
>> b) otherwise it will register default, which is *prompting* user to input
>> password
>> On Reload Configuration,
>> a) If 'ssl_passphrase_command' is defined and
>> 'ssl_passphrase_command_supports_reload' is define, then use external
>> command provided in 'ssl_passphrase_command'
>> b) otherwise suppress prompt, and fail intentionally with dummy value.
>>
>> PgPool:
>> a) Register dummy implementation and fails in all cases.
>>
>> My question is:
>> Should we prompt for pass phrase in any case ? or user must provide
>> password via 'ssl_passphrase_command' only. Any suggestions?
>> If we should provide prompt, in which scenario ?
>>
>> At the moment, what I implemented is, No prompt in any case.
>>
>> Regards,
>> Umar Hayat
>> Principle Software Engineer
>> EnterpriseDB: https://www.enterprisedb.com
>>
>>
>>
>>

More information about the pgpool-hackers mailing list