Skip site navigation (1) Skip section navigation (2)

Re: SSL client crt verification

From: "Knut P Lehre" <k(dot)p(dot)lehre(at)world-online(dot)no>
To: pgsql-hackers(at)postgresql(dot)org
Cc: doug(at)mcnaught(dot)org
Subject: Re: SSL client crt verification
Date: 2005-08-29 11:30:34
Message-ID: 42BFF0E800000D7B@cpfe4.be.tisc.dk (view raw or flat)
Thread:
Lists: pgsql-hackers
>> Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP.  Using a
>> test server.crt and server.key, as described in 8.0 docs 16.8, I can
>> activate SSL encryption (WinXP 8.0.3 psql reports "SSL Connection"
>> at connect), and as expected, the server log reports that root.crt
>> is not found.  If I copy server.crt to root.crt and start up server
>> again, the missing root.crt message disappears. But I can still
>> connect with psql with no postgresql.crt on client (docs
>> 27.13). Apparently, the root.crt, which in this case is a copy of
>> server.crt, is not interpreted as a CA crt, but how does the server
>> know? Isn't a CA cert just a self signed crt? Why is there not a
>> warning that client authentication will not take place, when it
>> apparently does not? Does the server only check that a root.crt file
>> is present, and not that is contains valid information?
> 
> You really need a separate root CA cert and server key.  The server
> key should be signed by the root CA, which is self-signed.  The root
> CA private key should be kept secure somewhere else--the database
> server doesn't need access to it. 
> 
> I just went though the whole exercise of creating a CA and setting up
> an app for client cert authentication, so I am reasonably sure the
> above is your problem.
> 
> For client auth to work, you need:
> 
> * Root CA certificate available to both client and server
> * Server cert signed by root CA, with CN=server hostname
> * Client cert signed by root CA, available to client to present to
>   server.
> 
> -Doug
> 

Thanks for your comments.
I seem to get SSL client authentication to work with a 8.0.3 server on win32
(a client crt needed for connection), but still not with the 7.4.8 server
on Red Hat EL4, even with separate root CA subject and server.crt subject,
as you suggest.
Interestingly, version 8 docs (16.8) mention the root.crt file needed for
client auth, while 7.4 docs do not mention it. Similarly, the 27.13 section
on libpq SSL support in 8 docs is not there in the 7.4 docs. Maybe my problem
is that 7.4.8 doesn't support client authentication? However, that doesn't
fit with the fact that the 7.4.8 server log reports that it will not verify
client certificates if the root.crt file is missing in the server data directory.
Have I missed some points regarding linux or 7.4 SSL setup? From docs I
understand that I only have to set SSL = true in postgresql.conf to switch
it on (in addition to providing the crt and key files).

KPL



Responses

pgsql-hackers by date

Next:From: Sergey E. KoposovDate: 2005-08-29 11:50:45
Subject: 8.1beta, SunOS and shmget
Previous:From: Andreas PflugDate: 2005-08-29 11:09:35
Subject: Re: dangling lock information?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group