[pgpool-hackers: 3004] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Tue Aug 28 09:20:58 JST 2018

Hi Jesper,

> Hi,
> On 08/27/2018 04:26 AM, Tatsuo Ishii wrote:
>> Thanks for the patch.
>> I assume this is going to be handled in 4.1 development cycle unless
>> otherwise Usama wants to import into 4.0.
> I think that people will assume that SSL can be used in the entire
> stack if the release notes state support for certificate
> authentication; currently Pgpool-II <- SSL -> PostgreSQL doesn't work.

It's not clear in the release note but actually it's stated in the

	  The certificate authentication works between client and
      <productname>Pgpool-II</productname>, for the
	  backend authentication you can use any other authentication method

> I see that Client <- SSL -> Pgpool-II support has a benefit if you
> assume that Pgpool-II is deployed on an internal and secure network,
> but I think it would be better that we fix everything for 4.0.
> The attached patch is further along, and I believe that most of the
> changes will be in pool-ssl.c now.

While waiting for response Usama, I wonder if you could provide full
patch to implement the certificate auth between Pgpool-II and
PostgreSQL. Because we are close to release of 4.0, and if we want to
push the feature, we need full patch which includes below now:

- Code patch
- Document patch
- Regression test

> At least we should consider renaming the ssl_ configuration options,
> so they don't have to be renamed in 4.1.
> I renamed 'ssl_backend_cert_auth' to 'ssl_backend_ca_cert' and
> 'ssl_backend_cert_revoke_list' to 'ssl_backend_ca_crl', and exposed
> the options. There are a number of TODOs in pool-ssl.c, so it is still
> non-working.

So you cannot provide a working full patch for now. If so, I recommend
to move the feature to 4.1 development cycle.

> BTW, do we need 'ssl_ca_cert_dir' ? PostgreSQL doesn't expose such an
> option, so maybe NULL is better ? See their root_cert_dir code.
> Thanks for your work on 0000419 !

You are welcome!

> Best regards,
>  Jesper

Best regards,
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php

More information about the pgpool-hackers mailing list