Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present

On Mon, Sep 12, 2011 at 19:21, David Fetter <david(at)fetter(dot)org> wrote:
> On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote:
>>
>> The following bug has been logged online:
>>
>> Bug reference:      6189
>> Logged by:          Srinivas Aji
>> Email address:      srinivas(dot)aji(at)emc(dot)com
>> PostgreSQL version: 9.0.4
>> Operating system:   Linux
>> Description:        libpq: sslmode=require verifies server certificate if
>> root.crt is present
>> Details:
>>
>> >From the documentation of sslmode values in
>> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
>> it looks like libpq will not verify the server certificate when the option
>> sslmode=require is used, and will perform different levels of certificate
>> verification in the cases sslmode=verify-ca and sslmode=verify-full.
>>
>> The observed behaviour is a bit different. If the ~/.postgresql/root.crt
>> file (or any other filename set through sslrootcert option) is found,
>> sslmode=require also performs the same level of certificate verification as
>> verify-ca. The difference between require and verify-ca is that it is an
>> error for the file to not exist when sslmode is verify-ca.
>>
>> Thanks,
>> Srinivas
>
> It looks to me like there could at least in theory be an attack vector
> or two that we're not covering with this bug.  Anybody want to tackle
> same?

I haven't checked the code yet, but from the report it sounds like
we're checking *too much* - how could that be an attack vector?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/