Skip site navigation (1) Skip section navigation (2)

Re: Bogus error message about private key (not a bug).

From: Stefanos Harhalakis <v13(at)it(dot)teithe(dot)gr>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Bogus error message about private key (not a bug).
Date: 2004-11-16 20:43:08
Message-ID: 200411162243.09419.v13@it.teithe.gr (view raw or flat)
Thread:
Lists: pgsql-bugs
On Tuesday 16 November 2004 21:06, Tom Lane wrote:
> Stefanos Harhalakis <v13(at)priest(dot)com> writes:
> > I believe that the checks in src/backend/libpq/be-secure.c:653 should be
> > performed in a different order (first the access permissions and then the
> > owner of the key) just to give a more appropriate message.
>
> Changing the order of the tests wouldn't change the message, though,
> 'cause there's just one message.  Are you suggesting more than one
> message?  Not sure it's worth the trouble ...

I meant the next error message which says "could not load private key file". 
This is from SSL_CTX_use_PrivateKey_file() so something like this:

--- be-secure.c.orig	2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c	2004-11-16 22:32:42.000000000 +0200
@@ -650,6 +650,11 @@
 					(errcode_for_file_access(),
 				   errmsg("could not access private key file \"%s\": %m",
 						  fnbuf)));
+		if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
+			ereport(FATAL,
+					(errmsg("could not load private key file \"%s\": %s",
+							fnbuf, SSLerrmessage())));
+
 		if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
 			buf.st_uid != getuid())
 			ereport(FATAL,
@@ -658,11 +663,6 @@
 						 fnbuf),
 					 errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));
 
-		if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
-			ereport(FATAL,
-					(errmsg("could not load private key file \"%s\": %s",
-							fnbuf, SSLerrmessage())));
-
 		if (!SSL_CTX_check_private_key(SSL_context))
 			ereport(FATAL,
 					(errmsg("check of private key failed: %s",

could produce a more meaningfull message. (this places the 
SSL_CTX_use_PrivateKey_file() call before the permissions check, but as you 
said, this may not worth the trouble.

There is one more thing. Perhaps you may want to apply this:

--- be-secure.c.orig	2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c.2	2004-11-16 22:35:45.000000000 +0200
@@ -651,7 +651,7 @@
 				   errmsg("could not access private key file \"%s\": %m",
 						  fnbuf)));
 		if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
-			buf.st_uid != getuid())
+			(buf.st_uid != getuid() && buf.st_uid))
 			ereport(FATAL,
 					(errcode(ERRCODE_CONFIG_FILE_ERROR),
 				  errmsg("unsafe permissions on private key file \"%s\"",

so that it will be possible to have a private key owned by root with strict 
permissions where the access can be controled by ACLs. Using the existing
method it is not possible to have root owner and give postgresql 
(and possibly others too) read permissions to the key using ACLs. I believe
that there will be cases where a server has one certificate only, for all of 
its services, and the same private key will must be shared between 
postgresql, apache, sendmail and possibly other programs.

<<V13>>

In response to

pgsql-bugs by date

Next:From: Andrew - SupernewsDate: 2004-11-16 20:43:57
Subject: Re: libplperl.so and libperl.so
Previous:From: Michael FuhrDate: 2004-11-16 20:41:56
Subject: Re: BUG #1321: SSL error: sslv3 alert handshake failure

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group