Re: [ADMIN] no verification of client certificate?

Ray Stell wrote:
>
> Thanks, I'd, also, suggest a link on the "Secure TCP/IP Connections with SSL"
> page in chapt 16: http://www.postgresql.org/docs/current/static/ssl-tcp.html
> to the discussion of the client config issues in chapter 29:
> http://www.postgresql.org/docs/8.2/static/libpq-ssl.html
> Otherwise, there is no mention of the client .postgresql/ directory, something
> I was missing.

That is exactly where I put it:

http://momjian.us/main/writings/pgsql/sgml/ssl-tcp.html

Is that good? You don't see it on the web site because we haven't
rebuilt the documentation for 8.2.X yet.

---------------------------------------------------------------------------

>
>
>
>
> On Thu, Mar 29, 2007 at 11:44:58PM -0400, Bruce Momjian wrote:
> >
> > I researched this and found that the documentation was wrong because it
> > said if the client has a 'root.crt', the server must have a 'root.crt',
> > when in fact on the server a 'server.crt' is required. Documentation
> > updated, and mention of libpq SSL section added to server documentation.
> >
> > The libpq comment verifies this:
> >
> > /* Set up to verify server cert, if root.crt is present */
> >
> > Doc patch attached. Backpatched to 8.2.X.
> >
> > ---------------------------------------------------------------------------
> >
> > Michael Fuhr wrote:
> > > On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> > > > Well, if it works then why is the OP complaining?
> > > >
> > > > Perhaps there is some non-obvious configuration issue that accounts
> > > > for the difference between your results and his?
> > >
> > > I don't see in the OP's messages that he's tried the configuration
> > > I used. He said he was using the following:
> > >
> > > > > no root.crt in the data dir
> > > > > no .postgresql/ <--- this is what made me think there was no server verification
> > > > > server.crt/key in the data dir
> > > > > pg_hba.conf set to hostssl
> > > > > PGSSLMODE=required or prefer
> > >
> > > My test configuration looks the same on the server but different
> > > on the client:
> > >
> > > Server, in $PGDATA
> > > ==================
> > > server.key
> > > server.crt (signed by some CA)
> > > no root.crt
> > >
> > > Client, in ~/.postgresql
> > > ========================
> > > root.crt (for the CA that signed server.crt)
> > > no postgresql.key or postgresql.crt
> > >
> > > The OP did say that
> > >
> > > > > When I first looked at the ssl doc, I didn't see any description of
> > > > > installing the root ca on the client. This seemed odd. On my web client,
> > > > > when I need to verify the server crt, I install the appropriate ca in
> > > > > the client.
> > >
> > > The "SSL Support" section of the libpq documentation mentions
> > > installing root.crt on the client:
> > >
> > > http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html
> > >
> > > "If the file ~/.postgresql/root.crt is present in the user's home
> > > directory, libpq will use the certificate list stored therein to
> > > verify the server's certificate. (On Microsoft Windows the file is
> > > named %APPDATA%\postgresql\root.crt.) The SSL connection will fail
> > > if the server does not present a certificate; therefore, to use
> > > this feature the server must also have a root.crt file."
> > >
> > > The requirement that the server have a root.crt appears to be
> > > incorrect, at least in the tests I ran. Unless somebody can justify
> > > that statement I'll submit a documentation patch to correct it.
> > >
> > > --
> > > Michael Fuhr
> > >
> > > ---------------------------(end of broadcast)---------------------------
> > > TIP 7: You can help support the PostgreSQL project by donating at
> > >
> > > http://www.postgresql.org/about/donate
> >
> > --
> > Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
> > EnterpriseDB http://www.enterprisedb.com
> >
> > + If your life is a hard drive, Christ can be your backup. +
>
> > Index: doc/src/sgml/libpq.sgml
> > ===================================================================
> > RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
> > retrieving revision 1.234
> > diff -c -c -r1.234 libpq.sgml
> > *** doc/src/sgml/libpq.sgml 20 Feb 2007 19:35:17 -0000 1.234
> > --- doc/src/sgml/libpq.sgml 30 Mar 2007 03:14:01 -0000
> > ***************
> > *** 4501,4507 ****
> > <filename>%APPDATA%\postgresql\root.crt</filename>.)
> > The SSL connection will
> > fail if the server does not present a certificate; therefore, to
> > ! use this feature the server must also have a <filename>root.crt</> file.
> > Certificate Revocation List (CRL) entries are also checked if the file
> > <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename>
> > on Microsoft Windows).
> > --- 4501,4507 ----
> > <filename>%APPDATA%\postgresql\root.crt</filename>.)
> > The SSL connection will
> > fail if the server does not present a certificate; therefore, to
> > ! use this feature the server must have a <filename>server.crt</> file.
> > Certificate Revocation List (CRL) entries are also checked if the file
> > <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename>
> > on Microsoft Windows).
> > Index: doc/src/sgml/runtime.sgml
> > ===================================================================
> > RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
> > retrieving revision 1.380
> > diff -c -c -r1.380 runtime.sgml
> > *** doc/src/sgml/runtime.sgml 6 Mar 2007 09:59:22 -0000 1.380
> > --- doc/src/sgml/runtime.sgml 30 Mar 2007 03:14:04 -0000
> > ***************
> > *** 1574,1583 ****
> > certificates of the <acronym>CA</acronym>(s) you wish to check for in
> > the file <filename>root.crt</filename> in the data directory. When
> > present, a client certificate will be requested from the client
> > ! during SSL connection startup, and it must have been signed by one of the
> > ! certificates present in <filename>root.crt</filename>. Certificate
> > ! Revocation List (CRL) entries are also checked if the file
> > ! <filename>root.crl</filename> exists.
> > </para>
> >
> > <para>
> > --- 1574,1584 ----
> > certificates of the <acronym>CA</acronym>(s) you wish to check for in
> > the file <filename>root.crt</filename> in the data directory. When
> > present, a client certificate will be requested from the client
> > ! during SSL connection startup, and it must have been signed by one of
> > ! the certificates present in <filename>root.crt</filename>. (See <xref
> > ! linkend="libpq-ssl"> for a description of how to set up client
> > ! certificates.) Certificate Revocation List (CRL) entries are also
> > ! checked if the file <filename>root.crl</filename> exists.
> > </para>
> >
> > <para>
>
> --
> I asked for a car, I got a computer. How's that for being born under a bad sign? - Bueller

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +