Postgres Pro
Downloads
Home   >   mailing lists

SSL Support - Mailing list pgsql-hackers

From dom@happygiraffe.net (Dominic Mitchell)
Subject SSL Support
Date
Msg-id 20040921072452.GA67741@ppe.happygiraffe.net
Whole thread Raw
Responses Re: SSL Support  (Peter Eisentraut <peter_e@gmx.net>)
Re: SSL Support  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tree view 
I've just spent a while this afternoon attempting to get SSL support
working.  It appears to be lacking in a few areas, foremost
documentation.  I've got a patch filling in the missing pieces for the
server side, but I am unsure where I should document the client side
bits (~/.postgresql/root.crt and friends).  I am also unsure of the
procedures for submitting patches; is it ok to just send to hackers?

Going through the code I spotted what appear to be problems.  Although
I'm not familiar with the internals and this is only a cursory glance
through the code.

* src/backend/libpq/be-secure.c

  In initialize_SSL(), we call SSL_CTX_set_verify(), but we don't pass
  in the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag.  This means that a client
  can present no certificate and still get access to the server.

  There's nothing that gets logged to say that an SSL connection was
  made.  This would be useful for testing.  Something like logging the
  connection as "1.2.3.4/ssl"?

* src/interfaces/libpq/fe-secure.c

  In initialize_SSL(), we call SSL_CTX_set_verify_depth(SSL_context, 1).
  This should probably be a configurable item.  I /think/ it might be
  stopping me from successfully verifying the server certificate is
  signed by the CA listed in my client's root.crt file, but I'm not
  sure.

  There is no ability to indicate failure to read the client root.crt.
  This is because it's just magically turned on by the presence of that
  file.  Perhaps it should be another PQconnectdb() option?

  In open_client_SSL(), the call to SSL_get_verify_result() is commented
  out.  This means that crucial things such as the validity of the
  certificate of the server you are connecting to is not checked.  So
  the client will happily connect to an expired certificate.

  In open_client_SSL() again, the call to verify that the CN of the
  certificate is the same as the hostname you've connected to is
  commented out.  So you have no idea whether or not you've connected to
  the right server.

* [both files]

  Having hard coded file names is a bit of a pain.  Particularly so for
  the client, as it means that two users of libpq cannot use different
  certificates.  I admit this is unlikely, but still.  Of course, it
  would be slightly better if documented.

I'm happy to have a go at fixing these problems, if that's acceptable.
Unfortunately the SSL support isn't really usable for me without them.

-Dom
Attachment

pgsql-hackers by date:

Previous
From: Shachar Shemesh
Date:
Subject: Re: No parameters support in "create user"?
Next
From: Peter Eisentraut
Date:
Subject: Re: SSL Support