Postgres Pro
Downloads
Home   >   mailing lists

patch for SSL cleanup, client certificates - Mailing list pgsql-patches

From Bear Giles
Subject patch for SSL cleanup, client certificates
Date
Msg-id 200205170509.XAA03262@eris.coyotesong.com
Whole thread Raw
Responses Re: patch for SSL cleanup, client certificates  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-patches
Tree view 
Attached is a patch that includes some SSL cleanup and adds support for
client certificates.  The visible changes are:

1) postmaster logs anonymous SSL connections:

     DEBUG: SSL connection from (anonymous) with cipher EDH-RSA-DES-CBC3-SHA

2) postmaster logs SSL connections with client certificates:

     DEBUG: SSL connection from Bear Giles with cipher EDH-RSA-DES-CBC3-SHA

   (The postmaster will also log any errors in the certificate.)

3) libpq recognizes two new environment variables/configuration file
   options

     PQCLIENTCERT:  pathname of client certificate
     PQCLIENTKEY:   pathname of client key

   At the current time, only unencrypted keys are supported.
   There is a prototype callback that prompts the user for an
   encryption passphrase, but it's not yet activated.

   For security reasons, the key file must be a regular file
   that is not world- or group-accessible.  It should also be
   owned by the server or user, but this is not yet checked.

The client cert, if provided, is available at 'port->peer', but
this value is not yet used to map a client cert into a PostgreSQL
user.


The patch also provides some cleanup of the SSL calls:

1) proper error checking for SSL_read() and SSL_write().
   (You need to call SSL_get_error(), not just check the system
   errno.)

2) proper shutdown of the SSL connection, at least on the client
   side.  Simply closing the socket is a sadly common error.
   (SSL_shutdown()).

3) Empheral DH keys have been added, with fallbacks provided from
   the OpenSSL source code.

4) keys must be regular files and not world- or group-accessible.
   They should also be owned by the postmaster or client, but I
   haven't added that test yet.

   Unfortunately the error messages if the permissions tests fail
   are cryptic at best.  This definitely needs improvement!

Some serious work remains:

1) we should move towards TLSv1 instead of SSLv3 or SSLv2.
   But this may have unforeseen consequences so we should make
   sure everything else is working well first.

2) we need to provide a way to specify a good entropy source,
   if one is available.

3) we need to provide a trigger to renegotiate the session key.
   (E.g., renegotiate the session key after N hours or X megabytes
   of data.)

4) certificates should be better validated.

5) backend/libpq/hba.c needs to be extended to support mapping
   from client cert to database identity.

Bear
Attachment

pgsql-patches by date:

Previous
From: Joe Conway
Date:
Subject: Re: SRF patch (was Re: [HACKERS] troubleshooting pointers)
Next
From: Bear Giles
Date:
Subject: First cut at SSL documentation