| From: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Andrew Sullivan <ajs(at)crankycanuck(dot)ca>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Spoofing as the postmaster |
| Date: | 2007-12-29 04:02:14 |
| Message-ID: | 4775C6C6.2040908@mark.mielke.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
>
>> Agreed. Requiring client root certificate checking is heavy-handed.
>>
> There seems to be some confusion here. I didn't think anyone was
> proposing that we force every installation to require client root
> certificate checking. What was under discussion (I thought) was
> providing the ability for a DBA to *choose* to require it.
>
>> Of course I am not sure anyone knows how to get that information from
>> SSL.
>>
> Yeah, if OpenSSL doesn't support testing for this then the discussion
> is moot..
I believe SSL is only capable of letting you know whether authentication
for each end point was 1) not requested, 2) optional requested, or 3)
required. Note that even if the authentication is required, there is no
way to know how authentication was performed. For example, did it check
the signature chain, requiring it to map to a public root certificate
lists used by most web browsers? If so, did it check the contents of the
certificate, or is only checking that it exists? Did it check a local
key store that has a copy of the public key certificate? Or did it just
log the certificate subject?
OpenSSH, for instance, presents the user with the finger print of the
certificate and asks you:
$ ssh 192.168.0.1
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 3e:a7:0f:04:60:7e:8e:64:52:bf:81:92:a9:05:c7:36.
Are you sure you want to continue connecting (yes/no)?
While this certainly gives you the opportunity to challenge it, I don't
know of any person who actually checks this finger print. Luckily, it
stores it to ~/.ssh/known_hosts, and so the real issue is if it suddenly
changes, you get a warning. Still, I've seen the warning before, and
realized that "oh yes, that machine was upgraded, so it probably has a
new public key". I have never personally checked the finger print
against a known source. Authentication is only as strong as the person
or process confirming it. In the case of trying to force a client to
authenticate the server, this requires the client to know who the server
is. As most clients will not know who the server is, I see clients
implementing an OpenSSH-style authentication model (shown above), or
providing their own no-op authentication routine to OpenSSL. I don't
think it is worth it, and I don't think it would work.
Cheers,
mark
--
Mark Mielke <mark(at)mielke(dot)cc>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2007-12-29 04:26:45 | Re: Spoofing as the postmaster |
| Previous Message | Mark Mielke | 2007-12-29 03:52:58 | Re: Spoofing as the postmaster |