Re: patch for SSL cleanup, client certificates - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: patch for SSL cleanup, client certificates |
Date | |
Msg-id | 200206112234.g5BMY9u24610@candle.pha.pa.us Whole thread Raw |
In response to | patch for SSL cleanup, client certificates (Bear Giles <bear@coyotesong.com>) |
List | pgsql-patches |
I assume this was all rolled into the later SSL patches, 1-9, right? --------------------------------------------------------------------------- Bear Giles wrote: > Attached is a patch that includes some SSL cleanup and adds support for > client certificates. The visible changes are: > > 1) postmaster logs anonymous SSL connections: > > DEBUG: SSL connection from (anonymous) with cipher EDH-RSA-DES-CBC3-SHA > > 2) postmaster logs SSL connections with client certificates: > > DEBUG: SSL connection from Bear Giles with cipher EDH-RSA-DES-CBC3-SHA > > (The postmaster will also log any errors in the certificate.) > > 3) libpq recognizes two new environment variables/configuration file > options > > PQCLIENTCERT: pathname of client certificate > PQCLIENTKEY: pathname of client key > > At the current time, only unencrypted keys are supported. > There is a prototype callback that prompts the user for an > encryption passphrase, but it's not yet activated. > > For security reasons, the key file must be a regular file > that is not world- or group-accessible. It should also be > owned by the server or user, but this is not yet checked. > > The client cert, if provided, is available at 'port->peer', but > this value is not yet used to map a client cert into a PostgreSQL > user. > > > The patch also provides some cleanup of the SSL calls: > > 1) proper error checking for SSL_read() and SSL_write(). > (You need to call SSL_get_error(), not just check the system > errno.) > > 2) proper shutdown of the SSL connection, at least on the client > side. Simply closing the socket is a sadly common error. > (SSL_shutdown()). > > 3) Empheral DH keys have been added, with fallbacks provided from > the OpenSSL source code. > > 4) keys must be regular files and not world- or group-accessible. > They should also be owned by the postmaster or client, but I > haven't added that test yet. > > Unfortunately the error messages if the permissions tests fail > are cryptic at best. This definitely needs improvement! > > Some serious work remains: > > 1) we should move towards TLSv1 instead of SSLv3 or SSLv2. > But this may have unforeseen consequences so we should make > sure everything else is working well first. > > 2) we need to provide a way to specify a good entropy source, > if one is available. > > 3) we need to provide a trigger to renegotiate the session key. > (E.g., renegotiate the session key after N hours or X megabytes > of data.) > > 4) certificates should be better validated. > > 5) backend/libpq/hba.c needs to be extended to support mapping > from client cert to database identity. > > Bear Content-Description: /tmp/diff [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-patches by date: