New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow specifying a certificate via the connection string #2129

Open
roji opened this Issue Aug 25, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@roji
Member

roji commented Aug 25, 2018

Connecting with a client certificate currently requires code. We can add a connection string parameter that simply points at a certificate file - this is necessary for some scenarios where no client code exists (VS Data Explorer, Excel, PowerBI...), and could make it easier even for regular programs to use client certificates.

@austindrenski

This comment has been minimized.

Member

austindrenski commented Aug 25, 2018

Should we also support an environment variable? (Along the lines of PGPASSFILE or PGTZ).

@roji

This comment has been minimized.

Member

roji commented Aug 25, 2018

Uh, I'm not sure... I try to support environment variables where they're PostgreSQL standard ones, i.e. recognized by libpq. Is there an env var for specifying the location of a certificate?

@austindrenski

This comment has been minimized.

Member

austindrenski commented Aug 25, 2018

I was just thinking aloud earlier, but it turns out libpq does check for environment variables:

Per 33.18. SSL Support (emphasis added):

If the server attempts to verify the identity of the client by requesting the client's leaf certificate, libpq will send the certificates stored in file ~/.postgresql/postgresql.crt in the user's home directory. The certificates must chain to the root certificate trusted by the server. A matching private key file ~/.postgresql/postgresql.key must also be present. The private key file must not allow any access to world or group; achieve this by the command chmod 0600 ~/.postgresql/postgresql.key. On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key, and there is no special permissions check since the directory is presumed secure.

The location of the certificate and key files can be overridden by the connection parameters sslcert and sslkey or the environment variables PGSSLCERT and PGSSLKEY.

@roji

This comment has been minimized.

Member

roji commented Aug 25, 2018

Ok, so I guess we do it! We can even support ~/.postgresql/postgresql.crt...

@austindrenski

This comment has been minimized.

Member

austindrenski commented Aug 25, 2018

Once this is in place, we should give some attention to the getting started/connection docs. It would be great to get a comparison chart of Npgsql and libpq, and be able to say for configuration parameters that "the standard docs apply, except for these outstanding issues".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment