Attached is a patch that includes some SSL cleanup and adds support for
client certificates. The visible changes are:
1) postmaster logs anonymous SSL connections:
DEBUG: SSL connection from (anonymous) with cipher EDH-RSA-DES-CBC3-SHA
2) postmaster logs SSL connections with client certificates:
DEBUG: SSL connection from Bear Giles with cipher EDH-RSA-DES-CBC3-SHA
(The postmaster will also log any errors in the certificate.)
3) libpq recognizes two new environment variables/configuration file
PQCLIENTCERT: pathname of client certificate
PQCLIENTKEY: pathname of client key
At the current time, only unencrypted keys are supported.
There is a prototype callback that prompts the user for an
encryption passphrase, but it's not yet activated.
For security reasons, the key file must be a regular file
that is not world- or group-accessible. It should also be
owned by the server or user, but this is not yet checked.
The client cert, if provided, is available at 'port->peer', but
this value is not yet used to map a client cert into a PostgreSQL
The patch also provides some cleanup of the SSL calls:
1) proper error checking for SSL_read() and SSL_write().
(You need to call SSL_get_error(), not just check the system
2) proper shutdown of the SSL connection, at least on the client
side. Simply closing the socket is a sadly common error.
3) Empheral DH keys have been added, with fallbacks provided from
the OpenSSL source code.
4) keys must be regular files and not world- or group-accessible.
They should also be owned by the postmaster or client, but I
haven't added that test yet.
Unfortunately the error messages if the permissions tests fail
are cryptic at best. This definitely needs improvement!
Some serious work remains:
1) we should move towards TLSv1 instead of SSLv3 or SSLv2.
But this may have unforeseen consequences so we should make
sure everything else is working well first.
2) we need to provide a way to specify a good entropy source,
if one is available.
3) we need to provide a trigger to renegotiate the session key.
(E.g., renegotiate the session key after N hours or X megabytes
4) certificates should be better validated.
5) backend/libpq/hba.c needs to be extended to support mapping
from client cert to database identity.
pgsql-patches by date
|Next:||From: Peter Eisentraut||Date: 2002-05-17 13:37:05|
|Subject: Re: [INTERFACES] libpgtcl - backend version information patch|
|Previous:||From: Nigel J. Andrews||Date: 2002-05-16 22:49:18|
|Subject: libpgtcl - backend version information patch|