Thread: Verifying SSL Certificate on the Client Side

Verifying SSL Certificate on the Client Side

From

"Atkins-Trimnell, Angus Black"

Date:

14 April 2008, 19:39:37

Hello,

I am trying to harden my application against man-in-the-middle attacks.
The application, written in PHP, communicates with the PostgreSQL server
using the usual pg_* functions built on the libpq library.  I have the
proper postgresql.key and postgresql.crt files installed on the Web server
(PostgreSQL client) and the server.key, server.crt and root.crt files
installed on the  PostgreSQL server.  My understanding is that when PHP
issues a pg_connect() function, libpq supplies the client certificate to
the PostgreSQL server and the PostgreSQL server checks the signature on
the certificate against the signature of the trusted CA in root.crt.  If
they match, it's go time!

My concern is that an attacker could impersonate the PostgreSQL server,
intercept the initial pg_connect() request, submit it's own certificate to
the client and steal the log in credentials.  Is this possible and, if so,
is there a way for PHP, through libpq, to check the certificate supplied
by the server to determine that it is submitted by a trusted CA?

I have submitted the same question to the PHP-DB mailing list, but a
respondent said that this would be handled by PostgreSQL not PHP.  Of
course, since I'm writing my code in PHP, I'm hoping to be able to handle
this in the PHP code.

Thanks for any guidance.

Sincerely,

Angus Atkins-Trimnell

Re: Verifying SSL Certificate on the Client Side

From

Bruce Momjian

Date:

14 April 2008, 19:43:35

Atkins-Trimnell, Angus Black wrote:
> Hello,
>
> I am trying to harden my application against man-in-the-middle attacks.
> The application, written in PHP, communicates with the PostgreSQL server
> using the usual pg_* functions built on the libpq library.  I have the
> proper postgresql.key and postgresql.crt files installed on the Web server
> (PostgreSQL client) and the server.key, server.crt and root.crt files
> installed on the  PostgreSQL server.  My understanding is that when PHP
> issues a pg_connect() function, libpq supplies the client certificate to
> the PostgreSQL server and the PostgreSQL server checks the signature on
> the certificate against the signature of the trusted CA in root.crt.  If
> they match, it's go time!
>
> My concern is that an attacker could impersonate the PostgreSQL server,
> intercept the initial pg_connect() request, submit it's own certificate to
> the client and steal the log in credentials.  Is this possible and, if so,
> is there a way for PHP, through libpq, to check the certificate supplied
> by the server to determine that it is submitted by a trusted CA?
>
> I have submitted the same question to the PHP-DB mailing list, but a
> respondent said that this would be handled by PostgreSQL not PHP.  Of
> course, since I'm writing my code in PHP, I'm hoping to be able to handle
> this in the PHP code.

I think you need to read the Postgres 8.3 docs on the subject:

    http://www.postgresql.org/docs/8.3/static/ssl-tcp.html
    http://www.postgresql.org/docs/8.3/static/libpq-ssl.html

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +