Re: be-secure.c patch - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: be-secure.c patch |
Date | |
Msg-id | 200604271412.k3RECCj17731@candle.pha.pa.us Whole thread Raw |
In response to | be-secure.c patch (Libor Hohoš <liho@d-prog.cz>) |
Responses |
Re: be-secure.c patch
|
List | pgsql-patches |
I am now wondering if fe-secure.c, the front-end code, should also check for "root.crl". The attached patch implents it. Is it a good idea? Also, if you look in interfaces/libpq/fe-secure.c at some NOT_USED macros you can see there are a few things we don't implement. Can that be improved? --------------------------------------------------------------------------- > Patch adjusted and applied. Thanks. > > I added documentation about SSL Certificate Revocation List (CRL) files. > > We throw a log message of "root.crl" does exist. Perhaps we should just > silently say nothing, but that seems dangerous. > > --------------------------------------------------------------------------- > > > > Libor Hoho<B9> wrote: > > Hello PG folks, > > the attachement contains a simple patch to adding of verification of > client's certificate(s) > > against CRL on server side in mutual SSL authentication. > > The CRL file has name "root.crl" and it must be stored in PGDATA > directory. -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.79 diff -c -c -r1.79 fe-secure.c *** src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:02:36 -0000 1.79 --- src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:08:18 -0000 *************** *** 125,135 **** --- 125,137 ---- #define USER_CERT_FILE ".postgresql/postgresql.crt" #define USER_KEY_FILE ".postgresql/postgresql.key" #define ROOT_CERT_FILE ".postgresql/root.crt" + #define ROOT_CRL_FILE ".postgresql/root.crl" #else /* On Windows, the "home" directory is already PostgreSQL-specific */ #define USER_CERT_FILE "postgresql.crt" #define USER_KEY_FILE "postgresql.key" #define ROOT_CERT_FILE "root.crt" + #define ROOT_CRL_FILE "root.crl" #endif #ifdef NOT_USED *************** *** 784,789 **** --- 786,793 ---- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); if (stat(fnbuf, &buf) == 0) { + X509_STORE *cvstore; + if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)) { char *err = SSLerrmessage(); *************** *** 795,800 **** --- 799,813 ---- return -1; } + if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) + { + if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) + /* setting the flags to check against the complete CRL chain */ + X509_STORE_set_flags(cvstore, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + /* if not found, silently ignore; we do not require CRL */ + } + SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb); } }
pgsql-patches by date: