[pgpool-hackers: 2993] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Jesper Pedersen jesper.pedersen at redhat.com
Sat Aug 25 01:12:12 JST 2018


Hi,

On 08/23/2018 01:53 PM, Jesper Pedersen wrote:
> I think we should add a _pgpool_ identifier to the SSL configuration to 
> make it clear that its 2) that is being supported at the moment, like 
> ssl_pgpool_cert and so on. 3) and 4) could be ssl_backend_ based ones.
> 

Here is a start in that direction. I added the documentation for the 
ssl_backend_ settings, but those needs a discussion. They are

* ssl_backend_users_cert_dir

Maybe just a directory structure, like

  sslusers/user1/pgpool.key
  sslusers/user1/pgpool.crt
  sslusers/user2/pgpool.key
  sslusers/user2/pgpool.crt

and so on, if option is 'sslusers'.

* ssl_backend_mode

I think we can assume that all connections share their policy. Default 
is require.

* ssl_backend_cert_auth

Certificate authority. Shared by all connections.

* ssl_backend_cert_revoke_list

Certificate revoke list. Shared by all connections.


FYI, I havn't looked at the Client to Pgpool-II part yet in detail.

Best regards,
  Jesper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-ssl_-to-ssl_pgpool_.patch
Type: text/x-patch
Size: 28043 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180824/fb3fe20a/attachment-0001.bin>


More information about the pgpool-hackers mailing list