Re: be-secure.c patch - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: be-secure.c patch |
Date | |
Msg-id | 200604270231.k3R2VC428968@candle.pha.pa.us Whole thread Raw |
In response to | be-secure.c patch (Libor Hohoš <liho@d-prog.cz>) |
List | pgsql-patches |
Patch adjusted and applied. Thanks. I added documentation about SSL Certificate Revocation List (CRL) files. We throw a log message of "root.crl" does exist. Perhaps we should just silently say nothing, but that seems dangerous. --------------------------------------------------------------------------- Libor Hoho� wrote: > Hello PG folks, > the attachement contains a simple patch to adding of verification of client's certificate(s) > against CRL on server side in mutual SSL authentication. > The CRL file has name "root.crl" and it must be stored in PGDATA directory. > > With best regards > L. Hohos [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v retrieving revision 1.370 diff -c -c -r1.370 runtime.sgml *** doc/src/sgml/runtime.sgml 11 Apr 2006 21:04:52 -0000 1.370 --- doc/src/sgml/runtime.sgml 27 Apr 2006 02:27:13 -0000 *************** *** 1553,1559 **** the file <filename>root.crt</filename> in the data directory. When present, a client certificate will be requested from the client during SSL connection startup, and it must have been signed by one of the ! certificates present in <filename>root.crt</filename>. </para> <para> --- 1553,1561 ---- the file <filename>root.crt</filename> in the data directory. When present, a client certificate will be requested from the client during SSL connection startup, and it must have been signed by one of the ! certificates present in <filename>root.crt</filename>. Certificate ! Revocation List (CRL) entries are also checked if the file ! <filename>root.crl</filename> exists. </para> <para> *************** *** 1564,1572 **** <para> The files <filename>server.key</>, <filename>server.crt</>, ! and <filename>root.crt</filename> are only examined during server ! start; so you must restart the server to make changes in them take ! effect. </para> </sect1> --- 1566,1574 ---- <para> The files <filename>server.key</>, <filename>server.crt</>, ! <filename>root.crt</filename>, and <filename>root.crl</filename> ! are only examined during server start; so you must restart ! the server to make changes in them take effect. </para> </sect1> Index: src/backend/libpq/be-secure.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v retrieving revision 1.63 diff -c -c -r1.63 be-secure.c *** src/backend/libpq/be-secure.c 21 Mar 2006 18:18:35 -0000 1.63 --- src/backend/libpq/be-secure.c 27 Apr 2006 02:27:13 -0000 *************** *** 102,107 **** --- 102,108 ---- #ifdef USE_SSL #define ROOT_CERT_FILE "root.crt" + #define ROOT_CRL_FILE "root.crl" #define SERVER_CERT_FILE "server.crt" #define SERVER_PRIVATE_KEY_FILE "server.key" *************** *** 794,799 **** --- 795,822 ---- } else { + /* + * Check the Certificate Revocation List (CRL) if file exists. + * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html + */ + X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context); + + if (cvstore) + { + if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) + /* setting the flags to check against the complete CRL chain */ + X509_STORE_set_flags(cvstore, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + else + { + /* Not fatal - we do not require CRL */ + ereport(LOG, + (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s", + ROOT_CRL_FILE, SSLerrmessage()), + errdetail("Will not check certificates against CRL."))); + } + } + SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
pgsql-patches by date: