On Wed, 6 Dec 2023 at 04:28, william@welliver.org wrote:
Hi Chris,
the SSL module supports passing client certificates, and the Sql.pgsql module uses SSL.File, however it doesn't directly provide any hooks for configuring the client certs. I think it would be easy to add, basically you just need a way to pass a properly configured SSL.Context object to the SSL.File object in (I think the relevant place is in Sql.pgsql_util.pmod). Once that's done, the handshake process should see the client certs and then pass them when requested by the server.
That sounds pretty doable. The options mapping would be the place for it. I propose adding a third SSL-related option:
use_ssl - use SSL if available, else unencrypted force_ssl - use SSL or fail if not supported ssl_context - if SSL is enabled by either of the above options, use this SSL.Context
Sound good? I'll try to put together an implementation, although I'm not sure there's a viable way to add tests for it.
ChrisA