Skip site navigation (1) Skip section navigation (2)

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date: 2010-05-25 23:26:11
Message-ID: 4BFC5C93.40406@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-bugs
On 25/05/10 23:48, Tom Lane wrote:
> Craig Ringer<craig(at)postnewspapers(dot)com(dot)au>  writes:
>> Bug 5245 is not the same issue. They're talking about the server not
>> sending the full certificate chain for the cert that identifies the
>> server (server.crt). It's nothing to do with client certificates.
>> Without the full chain, the client can't verify the server unless it
>> happens to already have the intermediate certs between the server's cert
>> and the trusted root that signed it installed locally. I haven't
>> encountered #5245 myself, but will test it shortly to verify. It'd
>> certainly count as a significant bug, as it would make it impossible to
>> use indirect trust to verify a server (as is the case when a corporate
>> CA signed by a "big name" CA is in use).
>
> BTW, does anyone know exactly how to fix that?  I'm looking at a related
> request internal to Red Hat right now.

The first thing to test is whether concatenating the root cert onto the 
server cert in 'server.crt' does the trick. Though, really, OpenSSL 
should do the right thing automatically so long as it has the CA 
certificate loaded.

Certainly my (patched) server is doing the right thing and sending the 
certificate. I'm 99% sure it did so before patching, though, just from 
having root.crt installed. However, this only works because the CA I 
want to validate clients against happens to be the same CA that signed 
my server's certificate, which is frequently *not* the case.

I do *not* have the CA cert concatenated onto server.crt. I'll have to 
see if that works, because that's how it's usually done with OpenSSL.


BTW, the little Java app I posted for client certifiate testing will let 
you get detailed tracing of a Pg SSL connection. Just run it with the 
default sslsocketfactory and no client cert:

java -jar PgClientCertDemo.jar default '' '' '' \
 
jdbc:postgresql://YOURSERVER/YOURDATABASE?ssl=true&user=blah&password=blah


and you'll get detailed trace information (possibly followed by an 
exception if it couldn't negotiate for some reason). Search for 
'ServerHello' to find the start of the area of interest in the 
negotiation. Search for 'chain [' to find the server certificate chain 
entries.

--
Craig Ringer


In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2010-05-25 23:37:18
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Previous:From: Tom LaneDate: 2010-05-25 22:24:20
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group