Re: SSL Support

From: dom(at)happygiraffe(dot)net (Dominic Mitchell)
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: SSL Support
Date: 2004-09-21 09:35:56
Message-ID: 20040921093556.GA75507@ppe.happygiraffe.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Sep 21, 2004 at 10:17:51AM +0200, Peter Eisentraut wrote:
> Am Dienstag, 21. September 2004 09:24 schrieb Dominic Mitchell:
> > I am also unsure of the
> > procedures for submitting patches; is it ok to just send to hackers?
>
> pgsql-patches(at)postgresql(dot)org

Thanks, I'll send it along there.

> > In initialize_SSL(), we call SSL_CTX_set_verify(), but we don't pass
> > in the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag. This means that a client
> > can present no certificate and still get access to the server.
>
> Client-side certificates as an authentication mechanism are not
> intended to be supported. It might be a nice feature to add, though.

The code is all there to do so, pretty much. What it's missing is a few
toggles to make it say "I want to enforce this to happen".

> > There's nothing that gets logged to say that an SSL connection was
> > made. This would be useful for testing. Something like logging the
> > connection as "1.2.3.4/ssl"?
>
> That seems reasonable.

Ok, I'll knock up a patch to do so.

> > In initialize_SSL(), we call SSL_CTX_set_verify_depth(SSL_context, 1).
> > This should probably be a configurable item. I /think/ it might be
> > stopping me from successfully verifying the server certificate is
> > signed by the CA listed in my client's root.crt file, but I'm not
> > sure.
>
> I think verification of the server certificates is not supported either. SSL
> only serves for encryption, not authentication or integrity checking (which
> is probably a stupid idea).
>
> > In open_client_SSL() again, the call to verify that the CN of the
> > certificate is the same as the hostname you've connected to is
> > commented out. So you have no idea whether or not you've connected to
> > the right server.
>
> This seems to match the pattern I described above.

I think it's misleading to talk about SSL being supported without these
options. I've used SSL in other places (apache/mod_ssl, curl, stunnel)
and I came to expect this sort of verification as standard behaviour.
What's more, the code is there to do it, it's just #ifdef'd out, or
needs a toggle.

I'm not even concerned about client certificates (though that would be
useful), but just the ordinary sort of checking that goes with SSL.
This is about the same level of checking that a browser would do when
visiting a HTTPS site.

-Dom

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Dominic Mitchell 2004-09-21 09:37:17 Re: SSL Support
Previous Message Gaetano Mendola 2004-09-21 09:23:16 Re: CVS configure failure