Add ssl_passphrase_command setting

This allows specifying an external command for prompting for or otherwise obtaining passphrases for SSL key files. This is useful because in many cases there is no TTY easily available during service startup. Also add a setting ssl_passphrase_command_supports_reload, which allows supporting SSL configuration reload even if SSL files need passphrases. Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2025-07-27 12:41:57 +03:00 · 2018-02-26 13:28:38 -05:00
parent 7a50bb690b
commit 8a3d942529
13 changed files with 313 additions and 20 deletions
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@ -22,6 +22,7 @@ CERTIFICATES := server_ca server-cn-and-alt-names \
 	root_ca

 SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
+	ssl/server-password.key \
 	ssl/client.crl ssl/server.crl ssl/root.crl \
 	ssl/both-cas-1.crt ssl/both-cas-2.crt \
 	ssl/root+server_ca.crt ssl/root+server.crl \
@ -71,6 +72,10 @@ ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.
 	openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt  -extensions v3_req -extfile server-cn-only.config
 	rm ssl/server-ss.csr

+# Password-protected version of server-cn-only.key
+ssl/server-password.key: ssl/server-cn-only.key
+	openssl rsa -des -in $< -out $@ -passout 'pass:secret1'
+
 # Client certificate, signed by the client CA:
 ssl/client.crt: ssl/client.key ssl/client_ca.crt
 	openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
--- a/src/test/ssl/README
+++ b/src/test/ssl/README
@ -48,6 +48,9 @@ server-no-names
 server-ss
 	same as server-cn-only, but self-signed.

+server-password
+	same as server-cn-only, but password-protected.
+
 client
 	a client certificate, for user "ssltestuser". Signed by client_ca.

--- a/src/test/ssl/ssl/server-password.key
+++ b/src/test/ssl/ssl/server-password.key
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,2FAEFD1C1B2C881C
+
+PGi9r3pm05iUwz5QbZik+ZNu0fHNaX8LJFZqpOhg0TV38csLtQ2PRjZ0Q/diBlVT
+SD8JJnIvwPoIWXyMMTax/krFL0CpbFqgAzD4CEgfWxGNhwnMD1DkNaYp/UF/NfuF
+7TqXomUlcH/pVaZlu7G0wrIo5rnjef70I7GEY2vwT5adSLsUBAgrs/u3MAAx/Wh4
+PkVxZELmyiH/8MdIevodjRcJrgIzRheEph39eHrWKgWeSbO0DEQK91vv3prICwo2
+w2iU0Zohf92QuquA2MKZWruCHb4A4HusUZf3Zc14Yueu/HyztSrHmFeBp0amlWep
+/o6mx274XVj7IpanOPPM4qEhrF97LHdaSEPn9HwxvvV4GFJDNCVEBl4zuaHo0N8C
+85GPazIxUWB3CB9PrtXduxeI22lwrIiUdmzA68EXHD7Wg8R90397MNMOomLgfNcu
+rXarrTXmTNgOa20hc1Ue5AXg9fVS9V/5GP4Dn9SX/CdaE1rz0b73N/ViQzVrS9Ne
+n04qYPbnf+MQmFWnzMXctZbYG6jDCbuGFIGP4i/LG+wOE8Rntu8Re9re+HANu5VJ
+Ht20wYOGZIpNwo4YenxvPeTTlbB0Qcma2lnw2bt19owpNQVIeTnRQXxZs3/Y3a+A
+/B8VvIkQ0u0EpnSVLBetEmJqtOQvBz7c4Z+0Cl+DL1bTqrDn54MxUBap6dgU+/1
+R6pxx1F0ZTtQauVmO8n3rWKwOGG5NeMhf4iId2JWpw39VtRk8LNtnGUbUAbL5znY
+rkUVyJstQg6U6kNTgDWQ1nBxCzlRz2xpHyghnyxLkMpW5ECpmwwLDQ==
+-----END RSA PRIVATE KEY-----
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@ -8,7 +8,7 @@ use File::Copy;

 if ($ENV{with_openssl} eq 'yes')
 {
-	plan tests => 62;
+	plan tests => 64;
 }
 else
 {
@ -38,7 +38,7 @@ chmod 0600, "ssl/client-revoked_tmp.key";
 copy("ssl/client.key", "ssl/client_wrongperms_tmp.key");
 chmod 0644, "ssl/client_wrongperms_tmp.key";

-#### Part 0. Set up the server.
+#### Set up the server.

 note "setting up data directory";
 my $node = get_new_node('master');
@ -50,9 +50,32 @@ $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
 configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust');
-switch_server_cert($node, 'server-cn-only');

-### Part 1. Run client-side tests.
+note "testing password-protected keys";
+
+open my $sslconf, '>', $node->data_dir."/sslconfig.conf";
+print $sslconf "ssl=on\n";
+print $sslconf "ssl_cert_file='server-cn-only.crt'\n";
+print $sslconf "ssl_key_file='server-password.key'\n";
+print $sslconf "ssl_passphrase_command='echo wrongpassword'\n";
+close $sslconf;
+
+command_fails(['pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart'],
+			  'restart fails with password-protected key file with wrong password');
+$node->_update_pid(0);
+
+open $sslconf, '>', $node->data_dir."/sslconfig.conf";
+print $sslconf "ssl=on\n";
+print $sslconf "ssl_cert_file='server-cn-only.crt'\n";
+print $sslconf "ssl_key_file='server-password.key'\n";
+print $sslconf "ssl_passphrase_command='echo secret1'\n";
+close $sslconf;
+
+command_ok(['pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart'],
+		   'restart succeeds with password-protected key file');
+$node->_update_pid(1);
+
+### Run client-side tests.
 ###
 ### Test that libpq accepts/rejects the connection correctly, depending
 ### on sslmode and whether the server's certificate looks correct. No
@ -60,6 +83,8 @@ switch_server_cert($node, 'server-cn-only');

 note "running client tests";

+switch_server_cert($node, 'server-cn-only');
+
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";

@ -235,7 +260,7 @@ test_connect_fails($common_connstr,
 				   qr/SSL error/,
 				   "does not connect with client-side CRL");

-### Part 2. Server-side tests.
+### Server-side tests.
 ###
 ### Test certificate authorization.