Re: Spoofing as the postmaster - Mailing list pgsql-hackers

Tom Lane wrote: <blockquote cite="mid:27698.1198897818@sss.pgh.pa.us" type="cite"><pre wrap="">Bruce Momjian <a
class="moz-txt-link-rfc2396E"href="mailto:bruce@momjian.us"><bruce@momjian.us></a> writes: </pre><blockquote
type="cite"><prewrap="">Agreed.  Requiring client root certificate checking is heavy-handed.   </pre></blockquote><pre
wrap="">Thereseems to be some confusion here.  I didn't think anyone was
 
proposing that we force every installation to require client root
certificate checking.  What was under discussion (I thought) was
providing the ability for a DBA to *choose* to require it. </pre><blockquote type="cite"><pre wrap="">Of course I am
notsure anyone knows how to get that information from
 
SSL.   </pre></blockquote><pre wrap="">Yeah, if OpenSSL doesn't support testing for this then the discussion
is moot..</pre></blockquote> I believe SSL is only capable of letting you know whether authentication for each end
pointwas 1) not requested, 2) optional requested, or 3) required. Note that even if the authentication is required,
thereis no way to know how authentication was performed. For example, did it check the signature chain, requiring it to
mapto a public root certificate lists used by most web browsers? If so, did it check the contents of the certificate,
oris only checking that it exists? Did it check a local key store that has a copy of the public key certificate? Or did
itjust log the certificate subject?<br /><br /> OpenSSH, for instance, presents the user with the finger print of the
certificateand asks you:<br /><br /> $ ssh 192.168.0.1<br /> The authenticity of host '192.168.0.1 (192.168.0.1)' can't
beestablished.<br /> RSA key fingerprint is 3e:a7:0f:04:60:7e:8e:64:52:bf:81:92:a9:05:c7:36.<br /> Are you sure you
wantto continue connecting (yes/no)? <br /><br /> While this certainly gives you the opportunity to challenge it, I
don'tknow of any person who actually checks this finger print. Luckily, it stores it to ~/.ssh/known_hosts, and so the
realissue is if it suddenly changes, you get a warning. Still, I've seen the warning before, and realized that "oh yes,
thatmachine was upgraded, so it probably has a new public key". I have never personally checked the finger print
againsta known source. Authentication is only as strong as the person or process confirming it. In the case of trying
toforce a client to authenticate the server, this requires the client to know who the server is. As most clients will
notknow who the server is, I see clients implementing an OpenSSH-style authentication model (shown above), or providing
theirown no-op authentication routine to OpenSSL. I don't think it is worth it, and I don't think it would work.<br
/><br/> Cheers,<br /> mark<br /><br /><pre class="moz-signature" cols="72">-- 
 
Mark Mielke <a class="moz-txt-link-rfc2396E" href="mailto:mark@mielke.cc"><mark@mielke.cc></a>
</pre>