Postgres Pro
Downloads
Home   >   mailing lists

SSL code fixed - Mailing list pgsql-hackers

From Bruce Momjian
Subject SSL code fixed
Date
Msg-id 200209260440.g8Q4etP25454@candle.pha.pa.us
Whole thread Raw
In response to Re: New SSL code to be removed  (Jan Wieck <JanWieck@Yahoo.com>)
List pgsql-hackers
Tree view 
Jan Wieck wrote:
> Bruce Momjian wrote:
> >
> > Because the new 7.3 SSL code doesn't work (per Peter), and the author is
> > not responding, I am about to yank out that code.  Peter suggests
> > ripping out all the new code rather than try to pick around and remove
> > just the broken parts.
>
> Agreed. I allways wondered what SSL DB-connections are good for.

OK, I have aplied the following patch to allow SSL to work without
client certificates.  There was some confusion in the code because while
the comments said client certificates were not required, the
infrastructure on the client side was required.  This patch removes the
requirement, and adds a comment so Bear can make adjustments for 7.4.  I
don't think we ever want to _require_ client-side certificates.

I did not remove the code because after quick review I saw that his code
actually filled in areas our pre-7.3 code was missing.  I will have him
review this patch and make any adjustments.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/runtime.sgml,v
retrieving revision 1.139
diff -c -c -r1.139 runtime.sgml
*** doc/src/sgml/runtime.sgml    25 Sep 2002 21:16:10 -0000    1.139
--- doc/src/sgml/runtime.sgml    26 Sep 2002 04:36:08 -0000
***************
*** 2876,2881 ****
--- 2876,2882 ----
     Enter the old passphrase to unlock the existing key. Now do
  <programlisting>
  openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
+ chmod og-rwx cert.pem
  cp cert.pem <replaceable>$PGDATA</replaceable>/server.key
  cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt
  </programlisting>
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/be-secure.c,v
retrieving revision 1.14
diff -c -c -r1.14 be-secure.c
*** src/backend/libpq/be-secure.c    4 Sep 2002 23:31:34 -0000    1.14
--- src/backend/libpq/be-secure.c    26 Sep 2002 04:36:12 -0000
***************
*** 642,650 ****
--- 642,654 ----
      snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
      if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))
      {
+         return 0;
+ #ifdef NOT_USED
+         /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
          postmaster_error("could not read root cert file (%s): %s",
                           fnbuf, SSLerrmessage());
          ExitPostmaster(1);
+ #endif
      }
      SSL_CTX_set_verify(SSL_context,
                      SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.13
diff -c -c -r1.13 fe-secure.c
*** src/interfaces/libpq/fe-secure.c    22 Sep 2002 20:57:21 -0000    1.13
--- src/interfaces/libpq/fe-secure.c    26 Sep 2002 04:36:23 -0000
***************
*** 726,735 ****
--- 726,739 ----
                   pwd->pw_dir);
          if (stat(fnbuf, &buf) == -1)
          {
+             return 0;
+ #ifdef NOT_USED
+             /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
              printfPQExpBuffer(&conn->errorMessage,
                   libpq_gettext("could not read root certificate list (%s): %s\n"),
                                fnbuf, strerror(errno));
              return -1;
+ #endif
          }
          if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0))
          {
***************
*** 789,794 ****
--- 793,800 ----

      /* check the certificate chain of the server */

+ #ifdef NOT_USED
+     /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
      /*
       * this eliminates simple man-in-the-middle attacks and simple
       * impersonations
***************
*** 802,807 ****
--- 808,814 ----
          close_SSL(conn);
          return -1;
      }
+ #endif

      /* pull out server distinguished and common names */
      conn->peer = SSL_get_peer_certificate(conn->ssl);
***************
*** 824,829 ****
--- 831,838 ----

      /* verify that the common name resolves to peer */

+ #ifdef NOT_USED
+     /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
      /*
       * this is necessary to eliminate man-in-the-middle attacks and
       * impersonations where the attacker somehow learned the server's
***************
*** 834,839 ****
--- 843,849 ----
          close_SSL(conn);
          return -1;
      }
+ #endif

      return 0;
  }

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Bug in PL/pgSQL GET DIAGNOSTICS?
Next
From: Bruce Momjian
Date:
Subject: Re: postmaster -d option (was Re: [GENERAL] Relation 0 does not exist)