Thread: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present

On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote:
> 
> The following bug has been logged online:
> 
> Bug reference:      6189
> Logged by:          Srinivas Aji
> Email address:      srinivas.aji@emc.com
> PostgreSQL version: 9.0.4
> Operating system:   Linux
> Description:        libpq: sslmode=require verifies server certificate if
> root.crt is present
> Details: 
> 
> >From the documentation of sslmode values in
> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
> it looks like libpq will not verify the server certificate when the option
> sslmode=require is used, and will perform different levels of certificate
> verification in the cases sslmode=verify-ca and sslmode=verify-full.
> 
> The observed behaviour is a bit different. If the ~/.postgresql/root.crt
> file (or any other filename set through sslrootcert option) is found,
> sslmode=require also performs the same level of certificate verification as
> verify-ca. The difference between require and verify-ca is that it is an
> error for the file to not exist when sslmode is verify-ca.
> 
> Thanks,
> Srinivas

It looks to me like there could at least in theory be an attack vector
or two that we're not covering with this bug.  Anybody want to tackle
same?

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Mon, Sep 12, 2011 at 19:21, David Fetter <david@fetter.org> wrote:
> On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote:
>>
>> The following bug has been logged online:
>>
>> Bug reference:      6189
>> Logged by:          Srinivas Aji
>> Email address:      srinivas.aji@emc.com
>> PostgreSQL version: 9.0.4
>> Operating system:   Linux
>> Description:        libpq: sslmode=require verifies server certificate if
>> root.crt is present
>> Details:
>>
>> >From the documentation of sslmode values in
>> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
>> it looks like libpq will not verify the server certificate when the option
>> sslmode=require is used, and will perform different levels of certificate
>> verification in the cases sslmode=verify-ca and sslmode=verify-full.
>>
>> The observed behaviour is a bit different. If the ~/.postgresql/root.crt
>> file (or any other filename set through sslrootcert option) is found,
>> sslmode=require also performs the same level of certificate verification as
>> verify-ca. The difference between require and verify-ca is that it is an
>> error for the file to not exist when sslmode is verify-ca.
>>
>> Thanks,
>> Srinivas
>
> It looks to me like there could at least in theory be an attack vector
> or two that we're not covering with this bug.  Anybody want to tackle
> same?

I haven't checked the code yet, but from the report it sounds like
we're checking *too much* - how could that be an attack vector?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

On Mon, Sep 12, 2011 at 07:37:23PM +0200, Magnus Hagander wrote:
> On Mon, Sep 12, 2011 at 19:21, David Fetter <david@fetter.org> wrote:
> > On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote:
> >>
> >> The following bug has been logged online:
> >>
> >> Bug reference:      6189
> >> Logged by:          Srinivas Aji
> >> Email address:      srinivas.aji@emc.com
> >> PostgreSQL version: 9.0.4
> >> Operating system:   Linux
> >> Description:        libpq: sslmode=require verifies server certificate if
> >> root.crt is present
> >> Details:
> >>
> >> >From the documentation of sslmode values in
> >> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
> >> it looks like libpq will not verify the server certificate when the option
> >> sslmode=require is used, and will perform different levels of certificate
> >> verification in the cases sslmode=verify-ca and sslmode=verify-full.
> >>
> >> The observed behaviour is a bit different. If the ~/.postgresql/root.crt
> >> file (or any other filename set through sslrootcert option) is found,
> >> sslmode=require also performs the same level of certificate verification as
> >> verify-ca. The difference between require and verify-ca is that it is an
> >> error for the file to not exist when sslmode is verify-ca.
> >>
> >> Thanks,
> >> Srinivas
> >
> > It looks to me like there could at least in theory be an attack vector
> > or two that we're not covering with this bug.  Anybody want to tackle
> > same?
> 
> I haven't checked the code yet, but from the report it sounds like
> we're checking *too much* - how could that be an attack vector?

Well, "too much checking," classically, is a source of denial of
service attacks.  It's not a super likely source, but it's a source,
and it'd be better to fix it than leave it lie. :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Mon, Sep 12, 2011 at 2:20 PM, David Fetter <david@fetter.org> wrote:
> Well, "too much checking," classically, is a source of denial of
> service attacks.  It's not a super likely source, but it's a source,
> and it'd be better to fix it than leave it lie. :)

You forgot to attach the patch.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company