On 03/09/2013 04:52 PM, Ian Pilcher wrote:
> 3. Once the root CA certificate is trusted, however, the "bad" client
> can also connect by using a certificate chain that includes the
> Server CA certificate --"cat bad-client.crt server-ca.crt >
> ~/.postgresql/postgresql.crt".
>
> After looking at be-secure.c and investigating the way that OpenSSL
> validates certificates, I do not believe that there is any way of
> achieving the desired behavior with the current codebase.
I'm testing this and looking into it now.
At first glance this looks like a genuine problem. We need to be storing
the certs used for validating client cert auth separately from the
certificate chain that links those certs to trusted self-signed CA
roots. I was under the strong impression that OpenSSL would do this if
the client validation certs were in root.crt and the certificate chain
was in OpenSSL's certificate search path and am testing that now. Even
if that's the case we need to at least document this issue and
preferably detect the case where root.crt contains a certificate chain.
If this tests out as expected you need to consider the effects it'd have
on people who're not using self-signed CAs, but are instead using certs
signed by big CAs. *Any other customer of the same CA could potentially
connect to your server with a genuine, valid client cert issued to them
by the CA*. Ouch.
I'm going through and reproducing the problem now and will also test
OpenSSL certificate chain lookup path configurations to see if there's a
way to set things up correctly with the current backend code. I'll
report back shortly.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services