Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present - Mailing list pgsql-hackers

<div style="font-family: Verdana; font-size: 12pt; color: #000000"><b>From: </b>"Magnus Hagander"
<magnus@hagander.net><br/><b>To: </b>"Lou Picciano" <loupicciano@comcast.net><br /><b>Cc:
</b>"PostgreSQL-development"<pgsql-hackers@postgresql.org>, "Srinivas Aji" <srinivas.aji@emc.com><br
/><b>Sent:</b>Friday, September 23, 2011 8:38:00 AM<br /><b>Subject: </b>Re: [HACKERS] Re: [BUGS] BUG #6189: libpq:
sslmode=requireverifies server certificate if root.crt is present<br /><br />On Fri, Sep 23, 2011 at 14:35, Lou
Picciano<loupicciano@comcast.net> wrote:<br />><br />> On Wed, Aug 31, 2011 at 11:59, Srinivas Aji
<srinivas.aji@emc.com>wrote:<br />>><br />>> The following bug has been logged online:<br
/>>><br/>>> Bug reference:      6189<br />>> Logged by:          Srinivas Aji<br />>> Email
address:     srinivas.aji@emc.com<br />>> PostgreSQL version: 9.0.4<br />>> Operating system:   Linux<br
/>>>Description:        libpq: sslmode=require verifies server certificate if<br />>> root.crt is
present<br/>>> Details:<br />>><br />> ...<br />>><br />>> The observed behaviour is a bit
different.If the ~/.postgresql/root.crt<br />>> file (or any other filename set through sslrootcert option) is
found,<br/>>> sslmode=require also performs the same level of certificate verification<br />>> as<br
/>>>verify-ca. The difference between require and verify-ca is that it is an<br />>> error for the file to
notexist when sslmode is verify-ca.<br />><br />> I looked at this again, and I'm pretty sure we did this
intentionally.<br/>> The idea being that before we had the verify-ca/verify-full options,<br />> adding the root
certwould enable the verification. And we didn't want<br />> to turn installations that previously did verify the
certificateto<br />> stop doing so in the new version.<br />><br />> So basically, the behaviour that is by
designis:<br />> * require: if certificate exists, verify. if certificate doesn't<br />> exist, don't verify.<br
/>>* verify-ca: if certificate exists, verify. if certificate doesn't<br />> exist, disconnect.<br />><br
/>>The question is, have we had the new options long enough now that we<br />> should change it so that we don't
verifythe cert in the case of<br />> cert-exists-but-verification-wasn't-explicitly-asked-for?<br />><br />>
Orshould we just update the documentation to mention how this works?<br />><br />> Magnus, If you're accepting
voteson this: I would say 'yes' - change the<br />> behavior to the most logically consistent ones; ie, isolate the
verification<br/>> bits a bit more explicitly. And, in documentation, indicate the deprecation<br />> of the old
behavior.<br/>><br />> Our mileage, in practical terms, is that the perceived inconsistencies<br />> create a
minorsupport hassle - we don't want to present any - even trivial<br />> - hurdle to adoption of SSL to our
clients.<br/><br />There are really two options to this as well - we can backpatch such a<br />change, or we can change
itonly in 9.2. I'm leaning towards a "no" on<br />the backport, because that will change things for existing users.
So<br/>probably a doc change in backbranches and a behaviour change in 9.2<br />would be the reasonable choice in this
case.<br/><br />Again, if you were soliciting votes, I'd take the aggressive stance: +1 for the backport to 9.1.<br
/><br/>Of the population using SSL, you'd be pulling out the subset getting all the way down into PKI implementation,
then,those actually doing apps teasing out these differences in verification behavior...  Among _that_ group, you're
onlyconcerned with recent adopters of 9.1, and only those who wouldn't be in a position to adapt pretty quickly.
Probablya pretty small cohort for something this esoteric.<br /><br />In our case, we do run into it - for our new
clients.We find ourselves in something of a support role regarding pqlib's SSL capabilities!<br /><br />Lou Picciano<br
/></div>