Re: [ADMIN] no verification of client certificate? - Mailing list pgsql-docs
From | Bruce Momjian |
---|---|
Subject | Re: [ADMIN] no verification of client certificate? |
Date | |
Msg-id | 200703300344.l2U3iwC23191@momjian.us Whole thread Raw |
List | pgsql-docs |
I researched this and found that the documentation was wrong because it said if the client has a 'root.crt', the server must have a 'root.crt', when in fact on the server a 'server.crt' is required. Documentation updated, and mention of libpq SSL section added to server documentation. The libpq comment verifies this: /* Set up to verify server cert, if root.crt is present */ Doc patch attached. Backpatched to 8.2.X. --------------------------------------------------------------------------- Michael Fuhr wrote: > On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote: > > Well, if it works then why is the OP complaining? > > > > Perhaps there is some non-obvious configuration issue that accounts > > for the difference between your results and his? > > I don't see in the OP's messages that he's tried the configuration > I used. He said he was using the following: > > > > no root.crt in the data dir > > > no .postgresql/ <--- this is what made me think there was no server verification > > > server.crt/key in the data dir > > > pg_hba.conf set to hostssl > > > PGSSLMODE=required or prefer > > My test configuration looks the same on the server but different > on the client: > > Server, in $PGDATA > ================== > server.key > server.crt (signed by some CA) > no root.crt > > Client, in ~/.postgresql > ======================== > root.crt (for the CA that signed server.crt) > no postgresql.key or postgresql.crt > > The OP did say that > > > > When I first looked at the ssl doc, I didn't see any description of > > > installing the root ca on the client. This seemed odd. On my web client, > > > when I need to verify the server crt, I install the appropriate ca in > > > the client. > > The "SSL Support" section of the libpq documentation mentions > installing root.crt on the client: > > http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html > > "If the file ~/.postgresql/root.crt is present in the user's home > directory, libpq will use the certificate list stored therein to > verify the server's certificate. (On Microsoft Windows the file is > named %APPDATA%\postgresql\root.crt.) The SSL connection will fail > if the server does not present a certificate; therefore, to use > this feature the server must also have a root.crt file." > > The requirement that the server have a root.crt appears to be > incorrect, at least in the tests I ran. Unless somebody can justify > that statement I'll submit a documentation patch to correct it. > > -- > Michael Fuhr > > ---------------------------(end of broadcast)--------------------------- > TIP 7: You can help support the PostgreSQL project by donating at > > http://www.postgresql.org/about/donate -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/libpq.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.234 diff -c -c -r1.234 libpq.sgml *** doc/src/sgml/libpq.sgml 20 Feb 2007 19:35:17 -0000 1.234 --- doc/src/sgml/libpq.sgml 30 Mar 2007 03:14:01 -0000 *************** *** 4501,4507 **** <filename>%APPDATA%\postgresql\root.crt</filename>.) The SSL connection will fail if the server does not present a certificate; therefore, to ! use this feature the server must also have a <filename>root.crt</> file. Certificate Revocation List (CRL) entries are also checked if the file <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename> on Microsoft Windows). --- 4501,4507 ---- <filename>%APPDATA%\postgresql\root.crt</filename>.) The SSL connection will fail if the server does not present a certificate; therefore, to ! use this feature the server must have a <filename>server.crt</> file. Certificate Revocation List (CRL) entries are also checked if the file <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename> on Microsoft Windows). Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v retrieving revision 1.380 diff -c -c -r1.380 runtime.sgml *** doc/src/sgml/runtime.sgml 6 Mar 2007 09:59:22 -0000 1.380 --- doc/src/sgml/runtime.sgml 30 Mar 2007 03:14:04 -0000 *************** *** 1574,1583 **** certificates of the <acronym>CA</acronym>(s) you wish to check for in the file <filename>root.crt</filename> in the data directory. When present, a client certificate will be requested from the client ! during SSL connection startup, and it must have been signed by one of the ! certificates present in <filename>root.crt</filename>. Certificate ! Revocation List (CRL) entries are also checked if the file ! <filename>root.crl</filename> exists. </para> <para> --- 1574,1584 ---- certificates of the <acronym>CA</acronym>(s) you wish to check for in the file <filename>root.crt</filename> in the data directory. When present, a client certificate will be requested from the client ! during SSL connection startup, and it must have been signed by one of ! the certificates present in <filename>root.crt</filename>. (See <xref ! linkend="libpq-ssl"> for a description of how to set up client ! certificates.) Certificate Revocation List (CRL) entries are also ! checked if the file <filename>root.crl</filename> exists. </para> <para>
pgsql-docs by date: