Re: [HACKERS] Trust intermediate CA for client certificates - Mailing list pgsql-general

From Craig Ringer
Subject Re: [HACKERS] Trust intermediate CA for client certificates
Date
Msg-id 514673DA.4030000@2ndquadrant.com
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Ian Pilcher <arequipeno@gmail.com>)
List pgsql-general
On 03/09/2013 04:52 PM, Ian Pilcher wrote:
> 3. Once the root CA certificate is trusted, however, the "bad" client
>    can also connect by using a certificate chain that includes the
>    Server CA certificate --"cat bad-client.crt server-ca.crt >
>    ~/.postgresql/postgresql.crt".
>
> After looking at be-secure.c and investigating the way that OpenSSL
> validates certificates, I do not believe that there is any way of
> achieving the desired behavior with the current codebase.
I'm testing this and looking into it now.

At first glance this looks like a genuine problem. We need to be storing
the certs used for validating client cert auth separately from the
certificate chain that links those certs to trusted self-signed CA
roots. I was under the strong impression that OpenSSL would do this if
the client validation certs were in root.crt and the certificate chain
was in OpenSSL's certificate search path and am testing that now. Even
if that's the case we need to at least document this issue and
preferably detect the case where root.crt contains a certificate chain.

If this tests out as expected you need to consider the effects it'd have
on people who're not using self-signed CAs, but are instead using certs
signed by big CAs. *Any other customer of the same CA could potentially
connect to your server with a genuine, valid client cert issued to them
by the CA*. Ouch.

I'm going through and reproducing the problem now and will also test
OpenSSL certificate chain lookup path configurations to see if there's a
way to set things up correctly with the current backend code. I'll
report back shortly.

--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services



pgsql-general by date:

Previous
From: Pawel Veselov
Date:
Subject: ORDER BY expression required in SELECT if DISTINCT
Next
From: Adam Zegelin
Date:
Subject: Enforcing Parameterised Nested Loop Join Order for Foreign Table Joins