Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql-server/doc/src/sgml/runtime.sgml,v retrieving revision 1.139 diff -c -c -r1.139 runtime.sgml *** doc/src/sgml/runtime.sgml 25 Sep 2002 21:16:10 -0000 1.139 --- doc/src/sgml/runtime.sgml 26 Sep 2002 04:36:08 -0000 *************** *** 2876,2881 **** --- 2876,2882 ---- Enter the old passphrase to unlock the existing key. Now do openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert + chmod og-rwx cert.pem cp cert.pem $PGDATA/server.key cp cert.cert $PGDATA/server.crt Index: src/backend/libpq/be-secure.c =================================================================== RCS file: /cvsroot/pgsql-server/src/backend/libpq/be-secure.c,v retrieving revision 1.14 diff -c -c -r1.14 be-secure.c *** src/backend/libpq/be-secure.c 4 Sep 2002 23:31:34 -0000 1.14 --- src/backend/libpq/be-secure.c 26 Sep 2002 04:36:12 -0000 *************** *** 642,650 **** --- 642,654 ---- snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir); if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH)) { + return 0; + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ postmaster_error("could not read root cert file (%s): %s", fnbuf, SSLerrmessage()); ExitPostmaster(1); + #endif } SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb); Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /cvsroot/pgsql-server/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.13 diff -c -c -r1.13 fe-secure.c *** src/interfaces/libpq/fe-secure.c 22 Sep 2002 20:57:21 -0000 1.13 --- src/interfaces/libpq/fe-secure.c 26 Sep 2002 04:36:23 -0000 *************** *** 726,735 **** --- 726,739 ---- pwd->pw_dir); if (stat(fnbuf, &buf) == -1) { + return 0; + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not read root certificate list (%s): %s\n"), fnbuf, strerror(errno)); return -1; + #endif } if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0)) { *************** *** 789,794 **** --- 793,800 ---- /* check the certificate chain of the server */ + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this eliminates simple man-in-the-middle attacks and simple * impersonations *************** *** 802,807 **** --- 808,814 ---- close_SSL(conn); return -1; } + #endif /* pull out server distinguished and common names */ conn->peer = SSL_get_peer_certificate(conn->ssl); *************** *** 824,829 **** --- 831,838 ---- /* verify that the common name resolves to peer */ + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this is necessary to eliminate man-in-the-middle attacks and * impersonations where the attacker somehow learned the server's *************** *** 834,839 **** --- 843,849 ---- close_SSL(conn); return -1; } + #endif return 0; }