On Wed, 6 Dec 2023 at 08:32, Chris Angelico rosuav@gmail.com wrote:
On Wed, 6 Dec 2023 at 05:10, Chris Angelico rosuav@gmail.com wrote:
Sound good? I'll try to put together an implementation, although I'm not sure there's a viable way to add tests for it.
In working on the implementation, I'm running into some trouble with SSL connections in general. As of Pike 8.1, the pgsql module uses Shuffler (this wasn't the case in Pike 8.0, but for unrelated reasons I'm not able to build Pike 8.0 on here at the moment). Non-SSL connections are fine, but SSL ones run into a problem due to sendcmd() calling shuffle->add_source(this) early in connectloop(), before the shuffler is created down below. Can anyone confirm whether or not Pike 9.0 is able to establish SSL encrypted connections in this way?
Welp. Over the past few days, I have learned:
1. I don't know much about SSL's internals. 2. I REALLY don't know much about SSL's internals. 3. It's surprisingly hard to find tools that can help you debug client certificates.
Anyhow. I've created the branch rosuav/pgsql-ssl for this. Can someone review it please? Particularly with respect to the "DEBUG HACK" commit there, where I ripped out all of the Shuffler code and just went straight to the Stdio.Buffer; there's a lot going on with the Shuffler and I'm sure there's a way better way to make this work, but I wasn't able to figure that out.
But the upshot is that I was able to connect to PostgreSQL with a client cert, and get authenticated! Here's the script I used for testing:
https://github.com/Rosuav/StilleBot/blob/master/pgssl.pike https://github.com/Rosuav/StilleBot/blob/master/sslport.pike (mini server to show certs)
To get things to work, I had to force the Context to return a certificate (done with subclassing here), and for the mini server, I had to add the root cert to the end of the chain. More things that I don't fully understand. But after 48 hours with Wireshark, I've come to the conclusion that, if it works, it works...
If anyone has time to read over this and weigh in, I would very much appreciate it!
ChrisA