Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present - Mailing list pgsql-hackers
From | Lou Picciano |
---|---|
Subject | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present |
Date | |
Msg-id | 1575492310.1868745.1316782897858.JavaMail.root@sz0093a.westchester.pa.mail.comcast.net Whole thread Raw |
In response to | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present (Magnus Hagander <magnus@hagander.net>) |
List | pgsql-hackers |
<div style="font-family: Verdana; font-size: 12pt; color: #000000"><b>From: </b>"Magnus Hagander" <magnus@hagander.net><br/><b>To: </b>"Lou Picciano" <loupicciano@comcast.net><br /><b>Cc: </b>"PostgreSQL-development"<pgsql-hackers@postgresql.org>, "Srinivas Aji" <srinivas.aji@emc.com><br /><b>Sent:</b>Friday, September 23, 2011 8:38:00 AM<br /><b>Subject: </b>Re: [HACKERS] Re: [BUGS] BUG #6189: libpq: sslmode=requireverifies server certificate if root.crt is present<br /><br />On Fri, Sep 23, 2011 at 14:35, Lou Picciano<loupicciano@comcast.net> wrote:<br />><br />> On Wed, Aug 31, 2011 at 11:59, Srinivas Aji <srinivas.aji@emc.com>wrote:<br />>><br />>> The following bug has been logged online:<br />>><br/>>> Bug reference: 6189<br />>> Logged by: Srinivas Aji<br />>> Email address: srinivas.aji@emc.com<br />>> PostgreSQL version: 9.0.4<br />>> Operating system: Linux<br />>>Description: libpq: sslmode=require verifies server certificate if<br />>> root.crt is present<br/>>> Details:<br />>><br />> ...<br />>><br />>> The observed behaviour is a bit different.If the ~/.postgresql/root.crt<br />>> file (or any other filename set through sslrootcert option) is found,<br/>>> sslmode=require also performs the same level of certificate verification<br />>> as<br />>>verify-ca. The difference between require and verify-ca is that it is an<br />>> error for the file to notexist when sslmode is verify-ca.<br />><br />> I looked at this again, and I'm pretty sure we did this intentionally.<br/>> The idea being that before we had the verify-ca/verify-full options,<br />> adding the root certwould enable the verification. And we didn't want<br />> to turn installations that previously did verify the certificateto<br />> stop doing so in the new version.<br />><br />> So basically, the behaviour that is by designis:<br />> * require: if certificate exists, verify. if certificate doesn't<br />> exist, don't verify.<br />>* verify-ca: if certificate exists, verify. if certificate doesn't<br />> exist, disconnect.<br />><br />>The question is, have we had the new options long enough now that we<br />> should change it so that we don't verifythe cert in the case of<br />> cert-exists-but-verification-wasn't-explicitly-asked-for?<br />><br />> Orshould we just update the documentation to mention how this works?<br />><br />> Magnus, If you're accepting voteson this: I would say 'yes' - change the<br />> behavior to the most logically consistent ones; ie, isolate the verification<br/>> bits a bit more explicitly. And, in documentation, indicate the deprecation<br />> of the old behavior.<br/>><br />> Our mileage, in practical terms, is that the perceived inconsistencies<br />> create a minorsupport hassle - we don't want to present any - even trivial<br />> - hurdle to adoption of SSL to our clients.<br/><br />There are really two options to this as well - we can backpatch such a<br />change, or we can change itonly in 9.2. I'm leaning towards a "no" on<br />the backport, because that will change things for existing users. So<br/>probably a doc change in backbranches and a behaviour change in 9.2<br />would be the reasonable choice in this case.<br/><br />Again, if you were soliciting votes, I'd take the aggressive stance: +1 for the backport to 9.1.<br /><br/>Of the population using SSL, you'd be pulling out the subset getting all the way down into PKI implementation, then,those actually doing apps teasing out these differences in verification behavior... Among _that_ group, you're onlyconcerned with recent adopters of 9.1, and only those who wouldn't be in a position to adapt pretty quickly. Probablya pretty small cohort for something this esoteric.<br /><br />In our case, we do run into it - for our new clients.We find ourselves in something of a support role regarding pqlib's SSL capabilities!<br /><br />Lou Picciano<br /></div>
pgsql-hackers by date: