BUG #4340: SECURITY: Is SSL Doing Anything? - Mailing list pgsql-bugs

From Dan Kaminsky
Subject BUG #4340: SECURITY: Is SSL Doing Anything?
Date
Msg-id 200808041514.m74FEfZL097603@wwwmaster.postgresql.org
Whole thread Raw
Responses Re: BUG #4340: SECURITY: Is SSL Doing Anything?
List pgsql-bugs
The following bug has been logged online:

Bug reference:      4340
Logged by:          Dan Kaminsky
Email address:      dan@doxpara.com
PostgreSQL version: 7.3
Operating system:   Any
Description:        SECURITY:  Is SSL Doing Anything?
Details:

http://www.google.com/codesearch?hl=en&q=verify_cb+package:http://ring.atr.j
p/archives/misc/db/postgresql-jp/7.3beta/postgresql-7.3b1.tar.gz+show:T2MIh9
GrfhE:LRGuIfOPoEk:-Eemn4ZpAKY&sa=N&cd=1&ct=rc&cs_p=http://ring.atr.jp/archiv
es/misc/db/postgresql-jp/7.3beta/postgresql-7.3b1.tar.gz&cs_f=postgresql-7.3
b1/src/interfaces/libpq/fe-secure.c#l355

/*
 *    Certificate verification callback
 *
 *    This callback allows us to log intermediate problems during
 *    verification, but there doesn't seem to be a clean way to get
 *    our PGconn * structure.  So we can't log anything!
 *
 *    This callback also allows us to override the default acceptance
 *    criteria (e.g., accepting self-signed or expired certs), but
 *    for now we accept the default checks.
 */
static int
verify_cb(int ok, X509_STORE_CTX *ctx)
{
    return ok;
}


---

Clearly, this is handling self-signed certs.  Great.  But what I really want
to know is, is verify_peer accepting a self-signed identity assertion?
Because that'd be remote EoP.

pgsql-bugs by date:

Previous
From: "Bhaskar Sirohi"
Date:
Subject: BUG #4339: The postgreSQL service stops abnormally
Next
From: Tom Lane
Date:
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?