- Notifications
You must be signed in to change notification settings - Fork28
Commit4ed4b6c
committed
Rearrange libpq's SSL initialization to simplify it and make it handle some
additional cases correctly. The original coding failed to load additional(chain) certificates from the client cert file, meaning that indirectly signedclient certificates didn't work unless one hacked the server's root.crt fileto include intermediate CAs (not the desired approach). Another problem wasthat everything got loaded into the shared SSL_context object, which meantthat concurrent connections trying to use different sslcert settings couldwell fail due to conflicting over the single available slot for a keyedcertificate.To fix, get rid of the use of SSL_CTX_set_client_cert_cb(), which isdeprecated anyway in the OpenSSL documentation, and instead justunconditionally load the client cert and private key during connectioninitialization. This lets us use SSL_CTX_use_certificate_chain_file(),which does the right thing with additional certs, and is lots simpler thanthe previous hacking about with BIO-level access. A small disadvantage isthat we have to load the primary client cert a second time withSSL_use_certificate_file, so that that one ends up in the correct slotwithin the connection's SSL object where it can get paired with the key.Given the other overhead of making an SSL connection, that doesn't seemworth worrying about.Per discussion ensuing from bug #5468.1 parent0d046a4 commit4ed4b6c
2 files changed
+275
-329
lines changedLines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| |||
1623 | 1623 | | |
1624 | 1624 | | |
1625 | 1625 | | |
1626 | | - | |
| 1626 | + | |
1627 | 1627 | | |
1628 | 1628 | | |
1629 | 1629 | | |
| |||
0 commit comments
Comments
(0)