[pgpool-hackers: 3004] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
ishii at sraoss.co.jp
Tue Aug 28 09:20:58 JST 2018
> On 08/27/2018 04:26 AM, Tatsuo Ishii wrote:
>> Thanks for the patch.
>> I assume this is going to be handled in 4.1 development cycle unless
>> otherwise Usama wants to import into 4.0.
> I think that people will assume that SSL can be used in the entire
> stack if the release notes state support for certificate
> authentication; currently Pgpool-II <- SSL -> PostgreSQL doesn't work.
It's not clear in the release note but actually it's stated in the
The certificate authentication works between client and
<productname>Pgpool-II</productname>, for the
backend authentication you can use any other authentication method
> I see that Client <- SSL -> Pgpool-II support has a benefit if you
> assume that Pgpool-II is deployed on an internal and secure network,
> but I think it would be better that we fix everything for 4.0.
> The attached patch is further along, and I believe that most of the
> changes will be in pool-ssl.c now.
While waiting for response Usama, I wonder if you could provide full
patch to implement the certificate auth between Pgpool-II and
PostgreSQL. Because we are close to release of 4.0, and if we want to
push the feature, we need full patch which includes below now:
- Code patch
- Document patch
- Regression test
> At least we should consider renaming the ssl_ configuration options,
> so they don't have to be renamed in 4.1.
> I renamed 'ssl_backend_cert_auth' to 'ssl_backend_ca_cert' and
> 'ssl_backend_cert_revoke_list' to 'ssl_backend_ca_crl', and exposed
> the options. There are a number of TODOs in pool-ssl.c, so it is still
So you cannot provide a working full patch for now. If so, I recommend
to move the feature to 4.1 development cycle.
> BTW, do we need 'ssl_ca_cert_dir' ? PostgreSQL doesn't expose such an
> option, so maybe NULL is better ? See their root_cert_dir code.
> Thanks for your work on 0000419 !
You are welcome!
> Best regards,
SRA OSS, Inc. Japan
More information about the pgpool-hackers