Re: patch for SSL cleanup, client certificates

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: bgiles(at)coyotesong(dot)com
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: patch for SSL cleanup, client certificates
Date: 2002-06-11 22:34:09
Message-ID: 200206112234.g5BMY9u24610@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches


I assume this was all rolled into the later SSL patches, 1-9, right?

---------------------------------------------------------------------------

Bear Giles wrote:
> Attached is a patch that includes some SSL cleanup and adds support for
> client certificates. The visible changes are:
>
> 1) postmaster logs anonymous SSL connections:
>
> DEBUG: SSL connection from (anonymous) with cipher EDH-RSA-DES-CBC3-SHA
>
> 2) postmaster logs SSL connections with client certificates:
>
> DEBUG: SSL connection from Bear Giles with cipher EDH-RSA-DES-CBC3-SHA
>
> (The postmaster will also log any errors in the certificate.)
>
> 3) libpq recognizes two new environment variables/configuration file
> options
>
> PQCLIENTCERT: pathname of client certificate
> PQCLIENTKEY: pathname of client key
>
> At the current time, only unencrypted keys are supported.
> There is a prototype callback that prompts the user for an
> encryption passphrase, but it's not yet activated.
>
> For security reasons, the key file must be a regular file
> that is not world- or group-accessible. It should also be
> owned by the server or user, but this is not yet checked.
>
> The client cert, if provided, is available at 'port->peer', but
> this value is not yet used to map a client cert into a PostgreSQL
> user.
>
>
> The patch also provides some cleanup of the SSL calls:
>
> 1) proper error checking for SSL_read() and SSL_write().
> (You need to call SSL_get_error(), not just check the system
> errno.)
>
> 2) proper shutdown of the SSL connection, at least on the client
> side. Simply closing the socket is a sadly common error.
> (SSL_shutdown()).
>
> 3) Empheral DH keys have been added, with fallbacks provided from
> the OpenSSL source code.
>
> 4) keys must be regular files and not world- or group-accessible.
> They should also be owned by the postmaster or client, but I
> haven't added that test yet.
>
> Unfortunately the error messages if the permissions tests fail
> are cryptic at best. This definitely needs improvement!
>
> Some serious work remains:
>
> 1) we should move towards TLSv1 instead of SSLv3 or SSLv2.
> But this may have unforeseen consequences so we should make
> sure everything else is working well first.
>
> 2) we need to provide a way to specify a good entropy source,
> if one is available.
>
> 3) we need to provide a trigger to renegotiate the session key.
> (E.g., renegotiate the session key after N hours or X megabytes
> of data.)
>
> 4) certificates should be better validated.
>
> 5) backend/libpq/hba.c needs to be extended to support mapping
> from client cert to database identity.
>
> Bear

Content-Description: /tmp/diff

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Browse pgsql-patches by date

  From Date Subject
Next Message Bruce Momjian 2002-06-11 22:39:39 Re: PATCH SSL_pending() checks in libpq/fe-misc.c
Previous Message Bruce Momjian 2002-06-11 22:33:24 Re: SSL (patch 10)