[pgpool-hackers: 3003] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Jesper Pedersen jesper.pedersen at redhat.com
Tue Aug 28 04:10:09 JST 2018


On 08/27/2018 04:26 AM, Tatsuo Ishii wrote:
> Thanks for the patch.
> I assume this is going to be handled in 4.1 development cycle unless
> otherwise Usama wants to import into 4.0.

I think that people will assume that SSL can be used in the entire stack 
if the release notes state support for certificate authentication; 
currently Pgpool-II <- SSL -> PostgreSQL doesn't work.

I see that Client <- SSL -> Pgpool-II support has a benefit if you 
assume that Pgpool-II is deployed on an internal and secure network, but 
I think it would be better that we fix everything for 4.0.

The attached patch is further along, and I believe that most of the 
changes will be in pool-ssl.c now.

At least we should consider renaming the ssl_ configuration options, so 
they don't have to be renamed in 4.1.

I renamed 'ssl_backend_cert_auth' to 'ssl_backend_ca_cert' and 
'ssl_backend_cert_revoke_list' to 'ssl_backend_ca_crl', and exposed the 
options. There are a number of TODOs in pool-ssl.c, so it is still 

BTW, do we need 'ssl_ca_cert_dir' ? PostgreSQL doesn't expose such an 
option, so maybe NULL is better ? See their root_cert_dir code.

Thanks for your work on 0000419 !

Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-ssl_-to-ssl_pgpool-and-introduce-ssl_backend-.patch
Type: text/x-patch
Size: 37632 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180827/f40a6715/attachment-0001.bin>

More information about the pgpool-hackers mailing list