Postgres Pro
Downloads
Home   >   mailing lists

Re: doc patch for ssl in server - Mailing list pgsql-patches

From dom@happygiraffe.net (Dominic Mitchell)
Subject Re: doc patch for ssl in server
Date
Msg-id 20040923211158.GA28254@ppe.happygiraffe.net
Whole thread Raw
In response to Re: doc patch for ssl in server  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: doc patch for ssl in server  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
Tree view 
On Thu, Sep 23, 2004 at 04:37:52PM -0400, Tom Lane wrote:
> Dominic Mitchell <dom@happygiraffe.net> writes:
> > +   If verification of client certificates is required, place the
> > +   certificates of the <acronym>CA</acronym> you wish to check for in
> > +   the file <filename>root.crt</filename> in the data directory.  When
> > +   present, a client certificate will be requested from the client
> > +   making the connection and it must have been signed by one of the
> > +   certificates present in <filename>root.crt</filename>.  If no
> > +   certificate is presented, the connection will be allowed to proceed
> > +   anway.
>
> That last statement is not actually correct, is it?  AFAICS we do tell
> SSL to enforce certificates if we find a valid root.crt file.

Nope, the code says "ask the client to give me a certificate, but carry
on anyway if you don't get one".  The call to SSL_CTX_set_verify in
be-secure.c/initialize_SSL() specifies SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE.  According to the docs[1], you also need
SSL_VERIFY_FAIL_IF_NO_PEER_CERT if you want requests that do not send a
certificate to be rejected.  That terminates the connection immediately.
I've no idea what that would do to the server's state at that point.

More to the point, I can definitely connect in this mode:

    % ls -l ~/.postgresql
    total 0
    % sudo ls -l ~pgsql/data
    Password:
    total 36
    -rw-------   1 pgsql  pgsql     4 Dec  5  2003 PG_VERSION
    drwx------  10 pgsql  pgsql   512 Sep 17 22:42 base
    drwx------   2 pgsql  pgsql   512 Sep 23 22:10 global
    drwx------   2 pgsql  pgsql   512 Dec  5  2003 pg_clog
    -r--r--r--   1 pgsql  pgsql  3480 Sep 16 21:28 pg_hba.conf
    -rw-------   1 pgsql  pgsql  1441 Dec  5  2003 pg_ident.conf
    drwx------   2 pgsql  pgsql   512 Sep 21 04:09 pg_xlog
    -r--r--r--   1 pgsql  pgsql  8033 Sep 21 23:37 postgresql.conf
    -rw-------   1 pgsql  pgsql    26 Sep 22 07:38 postmaster.opts
    -rw-------   1 pgsql  pgsql    48 Sep 23 06:01 postmaster.pid
    -rw-r--r--   1 pgsql  pgsql  1204 Sep 16 21:30 root.crt
    -rw-r--r--   1 pgsql  pgsql  3469 Sep 16 21:24 server.crt
    -r--------   1 pgsql  pgsql   887 Sep 16 21:24 server.key
    % psql -h db.happygiraffe.net
    Welcome to psql 7.4.5, the PostgreSQL interactive terminal.

    Type:  \copyright for distribution terms
           \h for help with SQL commands
           \? for help on internal slash commands
           \g or terminate with semicolon to execute query
           \q to quit

    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

    dom=#

-Dom

[1] http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

pgsql-patches by date:

Previous
From: Tom Lane
Date:
Subject: Re: doc patch for ssl in server
Next
From: Tom Lane
Date:
Subject: Re: doc patch for ssl in server