Thread: using pgsql-odbc using client certificate auth
What support does the current PG ODBC driver have for using client certificates for user authentication? Anyone have any experience with this?
Thanks
Blake Duffey
* Duffey, Blake A. (Blake.Duffey@noblis.org) wrote:
> What support does the current PG ODBC driver have for using client certificates for user authentication? Anyone have
anyexperience with this?
More specifically.. We're trying to make it work, but the ODBC driver
is crashing and we're not sure why. The error information is:
Problem signature:
Problem Event Name: APPCRASH
Application Name: odbcad32.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bcd4c
Fault Module Name: CRYPT32.dll
Fault Module Version: 6.1.7601.17514
Fault Module Timestamp: 4ce7b841
Exception Code: c0000005
Exception Offset: 0000e26b
OS Version: 6.1.7601.2.1.0.144.8
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
This is using the latest ODBC driver (we've tried both 32bit and 64bit
and received similar errors, the above is with the 32bit one). We can
connect from this same system using client-side certificates with
pgAdmin (where we have to specify the file location of the key and
certificate), and we have the client certificate loaded in to the
certificate store in Windows, so we know the PG server is configured
correctly and that the key and certificate work.
The 'mylog' file contains:
[9792-0.000]globals.extra_systable_prefixes = 'dd_;'
[9792-0.000]exe name=odbcad32 plaformId=2
[9792-0.015]aszKey='DSN', value='beren_test'
[9792-0.015]copyAttributes:
DSN='beren_test',server='',dbase='',user='',passwd='xxxxx',port='',onlyread='',protocol='',conn_settings='',disallow_premature=-1)
[9792-0.062]getDSNinfo: DSN=beren_test overwrite=0
[9792-0.062]force_abbrev=0 bde=0 cvt_null_date=0
[9792-0.062]globals.extra_systable_prefixes = 'dd_;'
[9792-0.078]calling getDSNdefaults
[9792-0.078]checking libpq library
[9792-0.093]psqlodbc path based libpq loaded module=00000000
[9792-0.093]libpq hmodule=00000000
[9792-0.093]secur32 hmodule=74630000
[9792-0.093]libpq_exist=1
[9792-1.484]EN_add_connection: self = 00326A08, conn = 00326A38
[9792-1.484] added at 0, conn->henv = 00326A08, conns[0]->henv = 00326A08
Also, looking through the source code, one thing which worries us is
that the CN in the certificate doesn't match the PG username we're
trying to use (though we've tried to make them match and that doesn't
help with the above error..). We'd really like to not have those match
and instead have the ODBC driver use a specific certificate or have a
way to tell the ODBC driver which CN to use.
Any thoughts on this would be greatly appreciated.
Thanks,
Stephen
Attachment
Hi Stephen, (2012/03/15 2:27), Stephen Frost wrote: > * Duffey, Blake A. (Blake.Duffey@noblis.org) wrote: >> What support does the current PG ODBC driver have for using client certificates for user authentication? Anyone haveany experience with this? I'm not sure if the client certificates works or not. As for the 32bit driver aren't you using psqlodbc_09_01_0100? If so please try psqlodbc_09_01_0100-1. psqlodbc_09_01_0100 contains an illegal libpq.dll and the client certificates functionality completely relies on libpq. regards, Hiroshi Inoue > More specifically.. We're trying to make it work, but the ODBC driver > is crashing and we're not sure why. The error information is: > > Problem signature: > Problem Event Name: APPCRASH > Application Name: odbcad32.exe > Application Version: 6.1.7600.16385 > Application Timestamp: 4a5bcd4c > Fault Module Name: CRYPT32.dll > Fault Module Version: 6.1.7601.17514 > Fault Module Timestamp: 4ce7b841 > Exception Code: c0000005 > Exception Offset: 0000e26b > OS Version: 6.1.7601.2.1.0.144.8 > Locale ID: 1033 > Additional Information 1: 0a9e > Additional Information 2: 0a9e372d3b4ad19135b953a78882e789 > Additional Information 3: 0a9e > Additional Information 4: 0a9e372d3b4ad19135b953a78882e789 > > This is using the latest ODBC driver (we've tried both 32bit and 64bit > and received similar errors, the above is with the 32bit one). We can > connect from this same system using client-side certificates with > pgAdmin (where we have to specify the file location of the key and > certificate), and we have the client certificate loaded in to the > certificate store in Windows, so we know the PG server is configured > correctly and that the key and certificate work. > > The 'mylog' file contains: > > [9792-0.000]globals.extra_systable_prefixes = 'dd_;' > [9792-0.000]exe name=odbcad32 plaformId=2 > [9792-0.015]aszKey='DSN', value='beren_test' > [9792-0.015]copyAttributes: DSN='beren_test',server='',dbase='',user='',passwd='xxxxx',port='',onlyread='',protocol='',conn_settings='',disallow_premature=-1) > [9792-0.062]getDSNinfo: DSN=beren_test overwrite=0 > [9792-0.062]force_abbrev=0 bde=0 cvt_null_date=0 > [9792-0.062]globals.extra_systable_prefixes = 'dd_;' > [9792-0.078]calling getDSNdefaults > [9792-0.078]checking libpq library > [9792-0.093]psqlodbc path based libpq loaded module=00000000 > [9792-0.093]libpq hmodule=00000000 > [9792-0.093]secur32 hmodule=74630000 > [9792-0.093]libpq_exist=1 > [9792-1.484]EN_add_connection: self = 00326A08, conn = 00326A38 > [9792-1.484] added at 0, conn->henv = 00326A08, conns[0]->henv = 00326A08 > > Also, looking through the source code, one thing which worries us is > that the CN in the certificate doesn't match the PG username we're > trying to use (though we've tried to make them match and that doesn't > help with the above error..). We'd really like to not have those match > and instead have the ODBC driver use a specific certificate or have a > way to tell the ODBC driver which CN to use. > > Any thoughts on this would be greatly appreciated. > > Thanks, > > Stephen
Hiroshi,
* Hiroshi Inoue (inoue@tpf.co.jp) wrote:
> I'm not sure if the client certificates works or not.
> As for the 32bit driver aren't you using psqlodbc_09_01_0100?
> If so please try psqlodbc_09_01_0100-1.
Thank you for that! Turns out that was exactly it. Other than that,
you have to set the necessary environment variables to tell libpq where
to find the certificate, the key, and the root CA certificates. Once
those are done, it 'just works'.
It would be nice if it could use the certificate store, and it looks
like there is actually code in the ODBC driver to do that, but this is
good enough for what I need it for.
Thanks again!
Stephen
Attachment
Hiroshi, all,
* Stephen Frost (sfrost@snowman.net) wrote:
> It would be nice if it could use the certificate store, and it looks
> like there is actually code in the ODBC driver to do that, but this is
> good enough for what I need it for.
Ok, I've been able to make it use the Windows certificate store for the
SSL Key (at least..). Unfortunately, it won't use the certificate store
for the actual certificate or the root chain (yet...). When it comes to
the ODBC distribution, here's what I'd really like to see:
Please add the 'capi.dll' file to the ODBC distribution, it's part of
OpenSSL and should be installed next to libeay32.dll. Unfortunately,
that's not all that's needed to make it work- you also need an
openssl.cfg file to be installed, ideally with the ODBC driver too,
with these contents:
---------------------------------------------------
openssl_conf = openssl_init
[openssl_init]
oid_section = new_oids
engines = engine_section
[engine_section]
capi = capi_config
[capi_config]
engine_id = capi
dynamic_path = "c:\\program\ files\ \(x86\)\\psqlodbc\\0901\\bin\\capi.dll"
init=1
---------------------------------------------------
We also need to tell OpenSSL where to find that config file by setting
an environment variable called "OPENSSL_CONF" and putting the path to
the .cfg file there, like so:
OPENSSL_CONF="C:\Program Files (x86)\psqlODBC\0901\bin\openssl.cfg"
Once all of *that* is done, you configure the PG environment variables
like so:
PGSSLCERT="C:\path\to\my.crt"
PGSSLROOTCERT="C:\path\to\myrootchain.crt"
PGSSLKEY="capi:My Name"
(eg: "capi:Stephen P Frost")
Not sure how much of the environment variable stuff we want to include
in the distribution of the ODBC driver vs. just having it in the
documentation. The more we put into the distro, the less documentation
and the fewer steps that I'll have to deal with, so I'd be inclined to
include more rather than less.
I'm going to look into what it'd take to have CAPI be used for the
actual certificate and root chain.. That really should be very simple
as OpenSSL has support for all of this stuff, we just need to use it.
That'll likely be a libpq change though.
Thanks!
Stephen