Postgres Pro
Downloads
Home   >   mailing lists

Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present
Date
Msg-id CABUevEx5PGYrK1p1=sqORCtASXrzFMxkb5g=dez+PTuDG4iHsg@mail.gmail.com
Whole thread Raw
In response to Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present  (Alvaro Herrera <alvherre@commandprompt.com>)
Responses Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present
List pgsql-hackers
Tree view 
On Fri, Sep 23, 2011 at 15:55, Alvaro Herrera
<alvherre@commandprompt.com> wrote:
>
> Excerpts from Magnus Hagander's message of vie sep 23 10:39:46 -0300 2011:
>> On Fri, Sep 23, 2011 at 14:49, Robert Haas <robertmhaas@gmail.com> wrote:
>> > On Fri, Sep 23, 2011 at 8:38 AM, Magnus Hagander <magnus@hagander.net> wrote:
>> >> On Fri, Sep 23, 2011 at 14:35, Lou Picciano <loupicciano@comcast.net> wrote:
>> >>> On Wed, Aug 31, 2011 at 11:59, Srinivas Aji <srinivas.aji@emc.com> wrote:
>> >>>>
>> >>>> The following bug has been logged online:
>> >>>>
>> >>>> Bug reference:      6189
>> >>>> Logged by:          Srinivas Aji
>> >>>> Email address:      srinivas.aji@emc.com
>> >>>> PostgreSQL version: 9.0.4
>> >>>> Operating system:   Linux
>> >>>> Description:        libpq: sslmode=require verifies server certificate if
>> >>>> root.crt is present
>
>> >>> So basically, the behaviour that is by design is:
>> >>> * require: if certificate exists, verify. if certificate doesn't
>> >>> exist, don't verify.
>> >>> * verify-ca: if certificate exists, verify. if certificate doesn't
>> >>> exist, disconnect.
>
>> > I definitely don't think we should back-patch a behavior change that
>> > silently weakens security.  That's not good.
>> >
>> > But what about not doing it in master, either?  It seems to me that we
>> > could avoid ever breaking backward compatibility by adding a new
>> > option "require-no-verify".
>>
>> Hmm. Intersting. and we could then deprecate the "require" option and
>> kill it off 4 releases later or so, I guess...
>
> So we would have
> sslmode=verify-ca / require-no-verify / verify-full / disable / allow / prefer
> ?
>
> This seems strange to me.  Why not have a second option to let the user
> indicate the desired SSL verification?
>
> sslmode=disable/allow/prefer/require
> sslverify=none/ca-if-present/ca/full
>
> (ca-if-present being the current "require" sslmode behavior).
>
> We could then deprecate sslmode=verify and verify-full and have them be
> synonyms of sslmode=require and corresponding sslverify.

Hmm. I agree that the other suggestion was a bit weird, but I'm not
sure I like the multiple-options approach either. That's going to
require redesign of all software that deals with it at all today :S

Maybe we should just update the docs and be done with it :-)

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [pgsql-advocacy] Unlogged vs. In-Memory
Next
From: Cédric Villemain
Date:
Subject: Re: index-only scans