Hi Chris,
the SSL module supports passing client certificates, and the Sql.pgsql module uses SSL.File, however it doesn't directly provide any hooks for configuring the client certs. I think it would be easy to add, basically you just need a way to pass a properly configured SSL.Context object to the SSL.File object in (I think the relevant place is in Sql.pgsql_util.pmod). Once that's done, the handshake process should see the client certs and then pass them when requested by the server.
As a side note, I think anything that offers TLS support should provide a means for passing a Context, as that's where all of the configuration is done. I don't think that is currently the case, and might be a worthwhile side project.
I'm a bit swamped here, otherwise I'd offer some tested code, but I think it be fairly straightforward to add a constructor variant to Sql.pgsql and the associated wiring below it.
If you've got specific questions, I'm happy to try to answer them (I wrote the initial client cert support many, many years ago).
Bill
On 2023-12-03 19:51, Chris Angelico wrote:
Is it possible to use client SSL certificates for authentication with the Sql.pgsql or (the deprecated) Sql.postgres driver? I've been setting up a multihomed Pike program and would ideally like to be able to have all nodes connect to the same database, using their SSL certificates as proof of identity. In theory, this should work, but I've had no success. Anyone done this and if so, how?
The connection works in the command line psql interface, but not in Pike.
ChrisA