| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Alex Hunsaker <badalex(at)gmail(dot)com> |
| Cc: | PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: patch: Client certificate requirements |
| Date: | 2008-11-17 09:53:45 |
| Message-ID: | 49213F29.8080204@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alex Hunsaker wrote:
> On Thu, Oct 23, 2008 at 08:51, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> Magnus Hagander wrote:
>>> This patch adds a configuration option to pg_hba.conf for "clientcert".
>>> This makes it possible to have different client certificate requirements
>>> on different connections. It also makes sure that if you specify that
>>> you want client cert verification and the root store isn't there, we
>>> give an error instead of silently allowing the user in (like we do now).
>>>
>>> This still does not implement actual client certificate validation -
>>> that's for a later step. It just cleans up the handling we have now.
>> Uh, with docs.
>>
>> //Magnus
>
> Hi in getting ready to view the other clientcert patch, I thought I
> should give this a quick look over.
>
> this hunk will break non ssl builds (due to port->peer):
>
> *** a/src/backend/libpq/auth.c
> --- b/src/backend/libpq/auth.c
> ***************
> *** 272,277 **** ClientAuthentication(Port *port)
> --- 272,303 ----
> errmsg("missing or erroneous pg_hba.conf file"),
> errhint("See server log for details.")));
>
> + /*
> + * This is the first point where we have access to the hba record for
> + * the current connection, so perform any verifications based on the
> + * hba options field that should be done *before* the authentication
> + * here.
> + */
> + if (port->hba->clientcert)
> + {
> + /*
> + * When we parse pg_hba.conf, we have already made sure that we have
> + * been able to load a certificate store. Thus, if a certificate is
> + * present on the client, it has been verified against our root
> + * certificate store, and the connection would have been aborted
> + * already if it didn't verify ok.
> + */
> + if (!port->peer)
> + {
> + ereport(FATAL,
> + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> + errmsg("connection requires a valid client certificate")));
> + }
> + }
> +
> + /*
> + * Now proceed to do the actual authentication check
> + */
> switch (port->hba->auth_method)
> {
Good point, thanks!
Added #ifdef USE_SSL around it.
(will address the other part of your response in a separate mail)
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-11-17 10:04:39 | Re: patch: Client certificate requirements |
| Previous Message | Greg Stark | 2008-11-17 08:52:48 | Re: Block-level CRC checks |