Postgres Pro
Downloads
Home   >   mailing lists

Re: [PoC] Let libpq reject unexpected authentication requests - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PoC] Let libpq reject unexpected authentication requests
Date
Msg-id CAAWbhmjoOzcwXvOjhBf7gP1WFirL+JDMnDWT76ocozt_x-UJVQ@mail.gmail.com
Whole thread Raw
In response to Re: [PoC] Let libpq reject unexpected authentication requests  (Michael Paquier <michael@paquier.xyz>)
Responses Re: [PoC] Let libpq reject unexpected authentication requests  (Michael Paquier <michael@paquier.xyz>)
List pgsql-hackers
Tree view 
On Tue, Mar 21, 2023 at 11:01 PM Michael Paquier <michael@paquier.xyz> wrote:
> -      # Function introduced in OpenSSL 1.0.2.
> +      # Functions introduced in OpenSSL 1.0.2. LibreSSL doesn't have all of these.
>        ['X509_get_signature_nid'],
> +      ['SSL_CTX_set_cert_cb'],
>
> From what I can see, X509_get_signature_nid() is in LibreSSL, but not
> SSL_CTX_set_cert_cb().  Perhaps that's worth having two different
> comments?

I took a stab at that in v18. I diverged a bit between Meson and
Autoconf, which you may not care for.

> +           <para>
> +            a certificate may be sent, if the server requests one and it has
> +            been provided via <literal>sslcert</literal>
> +           </para>
>
> It seems to me that this description is not completely exact.  The
> default is to look at ~/.postgresql/postgresql.crt, so sslcert is not
> mandatory.  There could be a certificate even without sslcert set.

Reworded.

> +           libpq_append_conn_error(conn, "sslcertmode value \"%s\" invalid when SSL support is not compiled in",
> +                                   conn->sslcertmode);
>
> This string could be combined with the same one used for sslmode,
> saving a bit in translation effortm by making the connection parameter
> name a value of the string ("%s value \"%s\" invalid ..").

Done.

> +        * figure out if a certficate was actually requested, so "require" is
> s/certficate/certificate/.

Heh, fixed. I need new glasses, clearly.

> contrib/sslinfo/ has ssl_client_cert_present(), that we could use in
> the tests to make sure that the client has actually sent a
> certificate?  How about adding some of these tests to 003_sslinfo.pl
> for the "allow" and "require" cases?

Added; see what you think.

> +       if (!conn->ssl_cert_requested)
> +       {
> +           libpq_append_conn_error(conn, "server did not request a certificate");
> +           return false;
> +       }
> +       else if (!conn->ssl_cert_sent)
> +       {
> +           libpq_append_conn_error(conn, "server accepted connection without a valid certificate");
> +           return false;
> +       }
> Perhaps useless question: should this say "SSL certificate"?

I have no objection, so done that way.

> freePGconn() is missing a free(sslcertmode).

Argh, I keep forgetting that. Fixed, thanks!

--Jacob
Attachment

pgsql-hackers by date:

Previous
From: Daniel Gustafsson
Date:
Subject: Re: Making background psql nicer to use in tap tests
Next
From: Tomas Vondra
Date:
Subject: Re: pg_stats and range statistics