Skip site navigation (1) Skip section navigation (2)

Re: doc patch for ssl in server

From: dom(at)happygiraffe(dot)net (Dominic Mitchell)
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: doc patch for ssl in server
Date: 2004-09-23 21:11:58
Message-ID: 20040923211158.GA28254@ppe.happygiraffe.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
On Thu, Sep 23, 2004 at 04:37:52PM -0400, Tom Lane wrote:
> Dominic Mitchell <dom(at)happygiraffe(dot)net> writes:
> > +   If verification of client certificates is required, place the
> > +   certificates of the <acronym>CA</acronym> you wish to check for in
> > +   the file <filename>root.crt</filename> in the data directory.  When
> > +   present, a client certificate will be requested from the client
> > +   making the connection and it must have been signed by one of the
> > +   certificates present in <filename>root.crt</filename>.  If no
> > +   certificate is presented, the connection will be allowed to proceed
> > +   anway.
> 
> That last statement is not actually correct, is it?  AFAICS we do tell
> SSL to enforce certificates if we find a valid root.crt file.

Nope, the code says "ask the client to give me a certificate, but carry
on anyway if you don't get one".  The call to SSL_CTX_set_verify in
be-secure.c/initialize_SSL() specifies SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE.  According to the docs[1], you also need
SSL_VERIFY_FAIL_IF_NO_PEER_CERT if you want requests that do not send a
certificate to be rejected.  That terminates the connection immediately.
I've no idea what that would do to the server's state at that point.

More to the point, I can definitely connect in this mode:

    % ls -l ~/.postgresql
    total 0
    % sudo ls -l ~pgsql/data
    Password:
    total 36
    -rw-------   1 pgsql  pgsql     4 Dec  5  2003 PG_VERSION
    drwx------  10 pgsql  pgsql   512 Sep 17 22:42 base
    drwx------   2 pgsql  pgsql   512 Sep 23 22:10 global
    drwx------   2 pgsql  pgsql   512 Dec  5  2003 pg_clog
    -r--r--r--   1 pgsql  pgsql  3480 Sep 16 21:28 pg_hba.conf
    -rw-------   1 pgsql  pgsql  1441 Dec  5  2003 pg_ident.conf
    drwx------   2 pgsql  pgsql   512 Sep 21 04:09 pg_xlog
    -r--r--r--   1 pgsql  pgsql  8033 Sep 21 23:37 postgresql.conf
    -rw-------   1 pgsql  pgsql    26 Sep 22 07:38 postmaster.opts
    -rw-------   1 pgsql  pgsql    48 Sep 23 06:01 postmaster.pid
    -rw-r--r--   1 pgsql  pgsql  1204 Sep 16 21:30 root.crt
    -rw-r--r--   1 pgsql  pgsql  3469 Sep 16 21:24 server.crt
    -r--------   1 pgsql  pgsql   887 Sep 16 21:24 server.key
    % psql -h db.happygiraffe.net
    Welcome to psql 7.4.5, the PostgreSQL interactive terminal.

    Type:  \copyright for distribution terms
           \h for help with SQL commands
           \? for help on internal slash commands
           \g or terminate with semicolon to execute query
           \q to quit

    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

    dom=#

-Dom

[1] http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2004-09-23 21:12:56
Subject: Re: SQL-Invoked Procedures for 8.1
Previous:From: Greg StarkDate: 2004-09-23 21:10:30
Subject: Re: SQL-Invoked Procedures for 8.1

pgsql-patches by date

Next:From: Tom LaneDate: 2004-09-23 21:26:28
Subject: Re: doc patch for ssl in server
Previous:From: Tom LaneDate: 2004-09-23 20:37:52
Subject: Re: doc patch for ssl in server

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group