Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt - Mailing list pgsql-bugs
| From | Bruce Momjian |
|---|---|
| Subject | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date | |
| Msg-id | 200904112014.n3BKEev15917@momjian.us Whole thread Raw |
| In response to | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt (Peter Eisentraut <peter_e@gmx.net>) |
| Responses |
Re: libpq 8.4 beta1: $PGHOST complains about missing
root.crt
|
| List | pgsql-bugs |
Peter Eisentraut wrote:
> On Friday 10 April 2009 08:39:33 Martin Pitt wrote:
> > Tom Lane [2009-04-10 1:15 -0400]:
> > > Martin Pitt <mpitt@debian.org> writesyuqhom#3:
> > > > The test suite detected one regression in libpq, though: Setting
> > > > $PGHOST now complains about a missing root.crt, although this is only
> > > > relevant on the server side (or did I misunderstood this?)
> > >
> > > No, that's a progression: the client wants to validate the server's
> > > cert, too.
> >
> > Indeed it is nice to see this feature (great to prevent spoofing), but
> > if I don't have a ~/.postgresql/root.crt at all, it shouldn't
> > certainly break completely? (which it does now).
>
> I assume the server has the snakeoil certificate installed? In that case, it
> is correct that the client refuses to proceed, although the exact manner of
> breaking could perhaps be improved.
I have developed a patch to more clearly explain the problem with a
missing client root.crt file:
$ PGSSLVERIFY=cn sql -h localhost test
psql: root certificate file "/u/postgres/.postgresql/root.crt" does not exist
Either supply the file or set sslverify to "none" to disable server certificate verification.
$ PGSSLVERIFY=none sql -h localhost test
psql (8.4beta1)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
I had to add a second error message line; I didn't see us doing a
second line anywhere else in libpq, but it seemed to be the only
solution. Should I use three lines?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.122
diff -c -c -r1.122 fe-secure.c
*** src/interfaces/libpq/fe-secure.c 31 Mar 2009 01:41:27 -0000 1.122
--- src/interfaces/libpq/fe-secure.c 11 Apr 2009 19:32:47 -0000
***************
*** 1067,1073 ****
if (strcmp(conn->sslverify, "none") != 0)
{
printfPQExpBuffer(&conn->errorMessage,
! libpq_gettext("root certificate file \"%s\" does not exist"), fnbuf);
return -1;
}
}
--- 1067,1074 ----
if (strcmp(conn->sslverify, "none") != 0)
{
printfPQExpBuffer(&conn->errorMessage,
! libpq_gettext("root certificate file \"%s\" does not exist\n"
! "Either supply the file or set sslverify to \"none\" to disable server certificate
verification.\n"),fnbuf);
return -1;
}
}
pgsql-bugs by date: