Skip site navigation (1) Skip section navigation (2)

Re: no verification of client certificate?

From: Ray Stell <stellr(at)cns(dot)vt(dot)edu>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: no verification of client certificate?
Date: 2007-03-24 02:04:34
Message-ID: 20070324020434.GA18533@cns.vt.edu (view raw or flat)
Thread:
Lists: pgsql-adminpgsql-docs
On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
> Ray Stell <stellr(at)cns(dot)vt(dot)edu> writes:
> > I was hoping to not have to support client certs.  I want
> > encryption and to verify the server, but no to verify the client.
> > Does this work and I've got the config wrong?
> 
> Maybe I misunderstand what you want --- doesn't leaving out the
> server's root.crt file do that?
> 

It doesn't look like it to me.  I hope you can steer me back.

When I first looked at the ssl doc, I didn't see any description of
installing the root ca on the client.  This seemed odd.  On my web client,
when I need to verify the server crt, I install the appropriate ca in
the client.  

Anyway, two permutations of the various config items provided ssl
connections.  One was with a client crt and the other was, as you said,
no root crt on the server datadir.  The verions without the client cert
was closer to what I was after.  

I describe the config here:

no root.crt in the data dir 
no .postgresql/    <--- this is what made me think there was no server verification
server.crt/key in the data dir
pg_hba.conf set to hostssl
PGSSLMODE=required or prefer 

connect:
--------
$  psql  -h serve.vt.edu -p 5437 testdb jira
Password for user jira:
Welcome to psql 8.2.3, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

strace the above connection, it tries/fails to open the client ca :
--------------------------------------------------------------------
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)

So, it looks to me like I get encryption this way, but no server verification.  Hope I'm wrong.  
Thanks for you help.

In response to

Responses

pgsql-docs by date

Next:From: Tom LaneDate: 2007-03-26 02:01:20
Subject: Re: no verification of client certificate?
Previous:From: Daniel Ricardo MedinaDate: 2007-03-23 23:19:03
Subject: Re: no verification of client certificate?

pgsql-admin by date

Next:From: Daniel Ricardo MedinaDate: 2007-03-25 02:56:56
Subject: URGENT TABLE PG_SHADOW CORRUTEP
Previous:From: Daniel Ricardo MedinaDate: 2007-03-23 23:37:57
Subject: AYUDA URGENTE CON TABLA PG_SHADOW

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group