| From: | dom(at)happygiraffe(dot)net (Dominic Mitchell) |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: doc patch for ssl in server |
| Date: | 2004-09-23 21:11:58 |
| Message-ID: | 20040923211158.GA28254@ppe.happygiraffe.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
On Thu, Sep 23, 2004 at 04:37:52PM -0400, Tom Lane wrote:
> Dominic Mitchell <dom(at)happygiraffe(dot)net> writes:
> > + If verification of client certificates is required, place the
> > + certificates of the <acronym>CA</acronym> you wish to check for in
> > + the file <filename>root.crt</filename> in the data directory. When
> > + present, a client certificate will be requested from the client
> > + making the connection and it must have been signed by one of the
> > + certificates present in <filename>root.crt</filename>. If no
> > + certificate is presented, the connection will be allowed to proceed
> > + anway.
>
> That last statement is not actually correct, is it? AFAICS we do tell
> SSL to enforce certificates if we find a valid root.crt file.
Nope, the code says "ask the client to give me a certificate, but carry
on anyway if you don't get one". The call to SSL_CTX_set_verify in
be-secure.c/initialize_SSL() specifies SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE. According to the docs[1], you also need
SSL_VERIFY_FAIL_IF_NO_PEER_CERT if you want requests that do not send a
certificate to be rejected. That terminates the connection immediately.
I've no idea what that would do to the server's state at that point.
More to the point, I can definitely connect in this mode:
% ls -l ~/.postgresql
total 0
% sudo ls -l ~pgsql/data
Password:
total 36
-rw------- 1 pgsql pgsql 4 Dec 5 2003 PG_VERSION
drwx------ 10 pgsql pgsql 512 Sep 17 22:42 base
drwx------ 2 pgsql pgsql 512 Sep 23 22:10 global
drwx------ 2 pgsql pgsql 512 Dec 5 2003 pg_clog
-r--r--r-- 1 pgsql pgsql 3480 Sep 16 21:28 pg_hba.conf
-rw------- 1 pgsql pgsql 1441 Dec 5 2003 pg_ident.conf
drwx------ 2 pgsql pgsql 512 Sep 21 04:09 pg_xlog
-r--r--r-- 1 pgsql pgsql 8033 Sep 21 23:37 postgresql.conf
-rw------- 1 pgsql pgsql 26 Sep 22 07:38 postmaster.opts
-rw------- 1 pgsql pgsql 48 Sep 23 06:01 postmaster.pid
-rw-r--r-- 1 pgsql pgsql 1204 Sep 16 21:30 root.crt
-rw-r--r-- 1 pgsql pgsql 3469 Sep 16 21:24 server.crt
-r-------- 1 pgsql pgsql 887 Sep 16 21:24 server.key
% psql -h db.happygiraffe.net
Welcome to psql 7.4.5, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
dom=#
-Dom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-09-23 21:12:56 | Re: SQL-Invoked Procedures for 8.1 |
| Previous Message | Greg Stark | 2004-09-23 21:10:30 | Re: SQL-Invoked Procedures for 8.1 |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-09-23 21:26:28 | Re: doc patch for ssl in server |
| Previous Message | Tom Lane | 2004-09-23 20:37:52 | Re: doc patch for ssl in server |