[pgpool-hackers: 494] Re: SSL mutual authentication (with patch)
Sam Lancia
sam at gpsm.co.uk
Fri Apr 18 16:28:03 JST 2014
Hi there,
I don't know if there was any other debate on this patch but I couldn't
find it. Client certificates are essential to my use of pgpool. I tested
this patch on top of 3.3.3 and it appeared to work very well for it. I
suggest it be considered for merge.
Many thanks,
Sam
>
> Thank you for the patch.
> I am not an expert on SSL, so I would love to hear from others on the
list.
> If we could agree this is a good thing, the patch will be merged in to
3.3.
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese: http://www.sraoss.co.jp
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi,
> >
> > We recently encountered a problem using pgpool with mutual
> > authentication between a
> > client (pgpool) and a server (postgres). We determined that the problem
> > was due to pgpool
> > not loading client certificates & private keys when connecting to a
> > backend - while pgpool loaded
> > a CA certificate to authenticate the backend, it did not provide its own
> > credentials to said backend.
> >
> > We were unsure whether or not this was a deliberate omission, and so we
> > changed the pgpool
> > codebase to allow for mutual authentication. The changes provide for
> > additional per-backend
> > configuration directives to set certificates, keys, etc. These
> > directives are then used when configuring
> > the OpenSSL context.
> >
> > I have attached a patch against Git revision
> > 3f89a334fe08dfcd199d9e45728a04ddb1d2ec85.
> >
> > Cheers,
> > Warren Armstrong
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> >
> > iEYEARECAAYFAlBs6rsACgkQIZlA5/+bUwn3eQCgjtbapglXoRX/jPle4aMeDOzu
> > 3moAoJC9eqIBVAI+Nm1UtwApuHnKWFyR
> > =SFLK
> > -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20140418/6e141c61/attachment.html>
More information about the pgpool-hackers
mailing list