[pgpool-hackers: 3003] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Jesper Pedersen
jesper.pedersen at redhat.com
Tue Aug 28 04:10:09 JST 2018
Hi,
On 08/27/2018 04:26 AM, Tatsuo Ishii wrote:
> Thanks for the patch.
>
> I assume this is going to be handled in 4.1 development cycle unless
> otherwise Usama wants to import into 4.0.
>
I think that people will assume that SSL can be used in the entire stack
if the release notes state support for certificate authentication;
currently Pgpool-II <- SSL -> PostgreSQL doesn't work.
I see that Client <- SSL -> Pgpool-II support has a benefit if you
assume that Pgpool-II is deployed on an internal and secure network, but
I think it would be better that we fix everything for 4.0.
The attached patch is further along, and I believe that most of the
changes will be in pool-ssl.c now.
At least we should consider renaming the ssl_ configuration options, so
they don't have to be renamed in 4.1.
I renamed 'ssl_backend_cert_auth' to 'ssl_backend_ca_cert' and
'ssl_backend_cert_revoke_list' to 'ssl_backend_ca_crl', and exposed the
options. There are a number of TODOs in pool-ssl.c, so it is still
non-working.
BTW, do we need 'ssl_ca_cert_dir' ? PostgreSQL doesn't expose such an
option, so maybe NULL is better ? See their root_cert_dir code.
Thanks for your work on 0000419 !
Best regards,
Jesper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-ssl_-to-ssl_pgpool-and-introduce-ssl_backend-.patch
Type: text/x-patch
Size: 37632 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180827/f40a6715/attachment-0001.bin>
More information about the pgpool-hackers
mailing list