Re: be-secure.c patch - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: be-secure.c patch
Date
Msg-id 200604270231.k3R2VC428968@candle.pha.pa.us
Whole thread Raw
In response to be-secure.c patch  (Libor Hohoš <liho@d-prog.cz>)
List pgsql-patches
Patch adjusted and applied.  Thanks.

I added documentation about SSL Certificate Revocation List (CRL) files.

We throw a log message of "root.crl" does exist.  Perhaps we should just
silently say nothing, but that seems dangerous.

---------------------------------------------------------------------------


Libor Hoho� wrote:
>     Hello PG folks,
> the attachement contains a simple patch to adding of verification of client's certificate(s)
> against CRL on server side in mutual SSL authentication.
> The CRL file has name "root.crl" and it must be stored in PGDATA directory.
>
>  With best regards
>     L. Hohos
[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
>                http://archives.postgresql.org

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.370
diff -c -c -r1.370 runtime.sgml
*** doc/src/sgml/runtime.sgml    11 Apr 2006 21:04:52 -0000    1.370
--- doc/src/sgml/runtime.sgml    27 Apr 2006 02:27:13 -0000
***************
*** 1553,1559 ****
     the file <filename>root.crt</filename> in the data directory.  When
     present, a client certificate will be requested from the client
     during SSL connection startup, and it must have been signed by one of the
!    certificates present in <filename>root.crt</filename>.
    </para>

    <para>
--- 1553,1561 ----
     the file <filename>root.crt</filename> in the data directory.  When
     present, a client certificate will be requested from the client
     during SSL connection startup, and it must have been signed by one of the
!    certificates present in <filename>root.crt</filename>.  Certificate
!    Revocation List (CRL) entries are also checked if the file
!    <filename>root.crl</filename> exists.
    </para>

    <para>
***************
*** 1564,1572 ****

    <para>
     The files <filename>server.key</>, <filename>server.crt</>,
!    and <filename>root.crt</filename> are only examined during server
!    start; so you must restart the server to make changes in them take
!    effect.
    </para>
   </sect1>

--- 1566,1574 ----

    <para>
     The files <filename>server.key</>, <filename>server.crt</>,
!    <filename>root.crt</filename>, and <filename>root.crl</filename>
!    are only examined during server start; so you must restart
!    the server to make changes in them take effect.
    </para>
   </sect1>

Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.63
diff -c -c -r1.63 be-secure.c
*** src/backend/libpq/be-secure.c    21 Mar 2006 18:18:35 -0000    1.63
--- src/backend/libpq/be-secure.c    27 Apr 2006 02:27:13 -0000
***************
*** 102,107 ****
--- 102,108 ----
  #ifdef USE_SSL

  #define ROOT_CERT_FILE            "root.crt"
+ #define ROOT_CRL_FILE            "root.crl"
  #define SERVER_CERT_FILE        "server.crt"
  #define SERVER_PRIVATE_KEY_FILE "server.key"

***************
*** 794,799 ****
--- 795,822 ----
      }
      else
      {
+         /*
+          *    Check the Certificate Revocation List (CRL) if file exists.
+          *    http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+          */
+         X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+         if (cvstore)
+         {
+             if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+                /* setting the flags to check against the complete CRL chain */
+                X509_STORE_set_flags(cvstore,
+                             X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+             else
+             {
+                 /* Not fatal - we do not require CRL */
+                 ereport(LOG,
+                     (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+                             ROOT_CRL_FILE, SSLerrmessage()),
+                      errdetail("Will not check certificates against CRL.")));
+             }
+         }
+
          SSL_CTX_set_verify(SSL_context,
                             (SSL_VERIFY_PEER |
                              SSL_VERIFY_FAIL_IF_NO_PEER_CERT |

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: plpython improvements
Next
From: Bruce Momjian
Date:
Subject: Re: INS/UPD/DEL RETURNING for 8.2