Re: pq_eof() broken with SSL - Mailing list pgsql-hackers
From | Bear Giles |
---|---|
Subject | Re: pq_eof() broken with SSL |
Date | |
Msg-id | 200205192138.PAA24676@eris.coyotesong.com Whole thread Raw |
In response to | Re: pq_eof() broken with SSL (Peter Eisentraut <peter_e@gmx.net>) |
List | pgsql-hackers |
> > a better fix is to explicitly create a new abstraction layer. > > Well, this is supposed to be an abstraction already. ;-) The new abstraction layer would localize SSL vs. plain sockets, and possibly SASL as well. The SSL issues I've identified to date are: critical - no check for SSL_get_error() after reads and writes. (*) - code assumes zero bytes read or write indicates an error. This isn't necessarily the case with SSL because of control messages. severe - pq_eof() fails on SSL. Since this is localized to the password handling code, I don't consider this error critical sincethe system can reliably work provided known problematic conditions are avoided. - both front- and back-end should call SSL_shutdown() immediately prior to closing connection. (1/2 *) - private keys should be regular files with mode 0600 or 0400. (*) they should be owned by the running process. - backend should use empheral DH keys. - encrypted private keys should be supported. important - client cert handling. (*) - makecert(?), a tool to generate PostgreSQL server certs. It is comparable in function to Apache mod-ssl script of thesame name, and should be run when installing database if SSL is enabled. - pgkeygen(?), a tool to generate client certificates. It is comparable to sshkeygen for SSH. - client and server should migrate to TLS. - connections should expire after a period of inactivity. - clients should provide identification of remote system to user. (*) - clients should verify that the server cert identifies the server. (server "common name" should resolve to IP address of server.) - DSA keys should work. ongoing - change protocol to use 'STARTTLS' type negotiation, instead of current approach. - SASL? - using client certs for authentication unknown - I'm not sure select() is guaranteed to work with SSL. (*) have had patches submitted, but may be superceded by subsequent patches. Unfortunately, I'm not sure that this list is complete - I'm still doing research. The patches I already submitted are fairly straight- forward - OpenSSL contains sample clients and servers that demonstrate good techniques. Right now I'm cross-checking the code with my _SSL and TLS_ book to make sure there aren't other holes, and that takes time. I hadn't planned on doing any of this, but I got caught up in it while setting up snort to log to PostgreSQL via an encrypted channel. As an aside, this is a good example of a case where an SSH tunnel is inadequate! So to answer the question I clipped, I'm looking at it but I don't want to do a half-assed solution. But as the scope of the solution expands, it becomes more important to have consensus that something needs to be done and this is the right solution. So right now I'm not ready to make any commitments. Bear
pgsql-hackers by date: