Re: Bogus error message about private key (not a bug).

From: Stefanos Harhalakis <v13(at)it(dot)teithe(dot)gr>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Bogus error message about private key (not a bug).
Date: 2004-11-16 20:43:08
Message-ID: 200411162243.09419.v13@it.teithe.gr
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Tuesday 16 November 2004 21:06, Tom Lane wrote:
> Stefanos Harhalakis <v13(at)priest(dot)com> writes:
> > I believe that the checks in src/backend/libpq/be-secure.c:653 should be
> > performed in a different order (first the access permissions and then the
> > owner of the key) just to give a more appropriate message.
>
> Changing the order of the tests wouldn't change the message, though,
> 'cause there's just one message. Are you suggesting more than one
> message? Not sure it's worth the trouble ...

I meant the next error message which says "could not load private key file".
This is from SSL_CTX_use_PrivateKey_file() so something like this:

--- be-secure.c.orig 2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c 2004-11-16 22:32:42.000000000 +0200
@@ -650,6 +650,11 @@
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
fnbuf)));
+ if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
+ ereport(FATAL,
+ (errmsg("could not load private key file \"%s\": %s",
+ fnbuf, SSLerrmessage())));
+
if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
buf.st_uid != getuid())
ereport(FATAL,
@@ -658,11 +663,6 @@
fnbuf),
errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));

- if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
- ereport(FATAL,
- (errmsg("could not load private key file \"%s\": %s",
- fnbuf, SSLerrmessage())));
-
if (!SSL_CTX_check_private_key(SSL_context))
ereport(FATAL,
(errmsg("check of private key failed: %s",

could produce a more meaningfull message. (this places the
SSL_CTX_use_PrivateKey_file() call before the permissions check, but as you
said, this may not worth the trouble.

There is one more thing. Perhaps you may want to apply this:

--- be-secure.c.orig 2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c.2 2004-11-16 22:35:45.000000000 +0200
@@ -651,7 +651,7 @@
errmsg("could not access private key file \"%s\": %m",
fnbuf)));
if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
- buf.st_uid != getuid())
+ (buf.st_uid != getuid() && buf.st_uid))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unsafe permissions on private key file \"%s\"",

so that it will be possible to have a private key owned by root with strict
permissions where the access can be controled by ACLs. Using the existing
method it is not possible to have root owner and give postgresql
(and possibly others too) read permissions to the key using ACLs. I believe
that there will be cases where a server has one certificate only, for all of
its services, and the same private key will must be shared between
postgresql, apache, sendmail and possibly other programs.

<<V13>>

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Andrew - Supernews 2004-11-16 20:43:57 Re: libplperl.so and libperl.so
Previous Message Michael Fuhr 2004-11-16 20:41:56 Re: BUG #1321: SSL error: sslv3 alert handshake failure