Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection - Mailing list pgsql-bugs

From Lou Picciano
Subject Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection
Date
Msg-id 88224499.27838527.1474456570201.JavaMail.zimbra@comcast.net
Whole thread Raw
In response to Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection  (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection  (Heikki Linnakangas <hlinnaka@iki.fi>)
Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection  ("Zuk, Kacper" <kzuk@akamai.com>)
List pgsql-bugs
Tree view 
Heikki -

Would also be happy to set up a test case for this.... Impacts us directly.

Need a couple of days to do so, though. Please let me know your timeline.

Lou Picciano

----- Original Message -----

From: "Heikki Linnakangas" <hlinnaka@iki.fi>
To: kzuk@akamai.com, pgsql-bugs@postgresql.org
Sent: Wednesday, September 21, 2016 4:06:33 AM
Subject: Re: [BUGS] BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection

On 09/20/2016 01:10 PM, kzuk@akamai.com wrote:
> My educated guess is that in fe-secure-openssl.c in initialize_SSL function
> whole certificate chain is loaded into SSL_context, but only client
> certificate is loaded to SSL object. SSL object is created before loading
> certificate chain into SSL_context, so it doesn't see this update. Only the
> next connection, with new SSL object, picks up the certificate chain from
> SSL_context. It doesn't explain why it works with OpenSSL 1.0.1 though, so
> that may be a false trail.

Yeah, that's probably what's happening. The OpenSSL man page for
SSL_CTX_use_certificate() says:

> The SSL_CTX_* class of functions loads the certificates and keys into
> the SSL_CTX object ctx. The information is passed to SSL objects ssl
> created from ctx with SSL_new by copying, so that changes applied to
> ctx do not propagate to already existing SSL objects.

It says the same in both 1.0.1 and 1.0.2 versions, though. I guess we
have been relying on a bug that was fixed in 1.0.2, in that the
intermediate CA certs were actually propagated from the context to the
existing SSL object, contrary to what the man page says. I don't
immediately see any relevant change in the OpenSSL commit logs between
1.0.1 and 1.0.2, though.

I think we need to rearrange the code so that we call
SSL_CTX_use_certificate() first, and SSL_new() after that. I wonder if
that's going to break 1.0.1, though.

Setting up a test environment with the required certificates and CAs is
a bit tedious. Would you be interested in adding a test case for this in
the SSL test suite, in src/test/ssl, and posting a patch for that? I can
take a stab at fixing this, but having a test case ready would give me a
head start.

- Heikki



--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

pgsql-bugs by date:

Previous
From: Pavel Stehule
Date:
Subject: Re: BUG #14330: can not select into `composite data types` in plpgsql
Next
From: Heikki Linnakangas
Date:
Subject: Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection