Thread: [PATCH] Remove useless DH param code on client side

[PATCH] Remove useless DH param code on client side

From

Martijn van Oosterhout

Date:

12 April 2006, 06:37:21

In the SSL code in libpq it does some processing with DH parameters:

SSL_CTX_set_tmp_dh_callback()

This function is marked as server use only[1], the client always uses
the DH parameters in the server, so all the code in the client dealing
with the DH parameters is useless. This patch removes it.

It's not clear why the code was added in the first place, it's been
there almost since the beginning[2]. At the time there was a suggestion
of merging the front-end and backend SSL code, but looking at the
changes since, that seems unlikely.

As a further example, the s_server program allows you to specify DH
params, but s_client doesn't. In the GnuTLS documentation under
gnutls_dh_params_generate2() it says[3]:

  Also note that the DH parameters are only useful to servers. Since
  clients use the parameters sent by the server, it's of no use to call
  this in client side.

Have a nice day,

[1] http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
[2] http://developer.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c#rev1.2
[3] http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-dh-params-generate2
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment

Re: [PATCH] Remove useless DH param code on client side

From

Tom Lane

Date:

12 April 2006, 14:00:33

Martijn van Oosterhout <kleptog@svana.org> writes:
> It's not clear why the code was added in the first place,

I thought it was there to support client-side authentication (ie,
verifying the server's certificate).  We don't support that right
now but we ought to.

            regards, tom lane

Re: [PATCH] Remove useless DH param code on client side

From

Martijn van Oosterhout

Date:

12 April 2006, 14:09:16

On Wed, Apr 12, 2006 at 10:00:29AM -0400, Tom Lane wrote:
> Martijn van Oosterhout <kleptog@svana.org> writes:
> > It's not clear why the code was added in the first place,
>
> I thought it was there to support client-side authentication (ie,
> verifying the server's certificate).  We don't support that right
> now but we ought to.

That's there AFAICS, using the functions:

SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb)

That has nothing to do with DH params though, which are purely used to
generate a secret key during negotiation. The server sends you the DH
params as part of the negotiation, the client doesn't need any itself.

http://en.wikipedia.org/wiki/Diffie-Hellman

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment

signature.asc

Re: [PATCH] Remove useless DH param code on client side

From

Bruce Momjian

Date:

27 April 2006, 00:37:18

Patch applied.  Thanks.

---------------------------------------------------------------------------


Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> In the SSL code in libpq it does some processing with DH parameters:
>
> SSL_CTX_set_tmp_dh_callback()
>
> This function is marked as server use only[1], the client always uses
> the DH parameters in the server, so all the code in the client dealing
> with the DH parameters is useless. This patch removes it.
>
> It's not clear why the code was added in the first place, it's been
> there almost since the beginning[2]. At the time there was a suggestion
> of merging the front-end and backend SSL code, but looking at the
> changes since, that seems unlikely.
>
> As a further example, the s_server program allows you to specify DH
> params, but s_client doesn't. In the GnuTLS documentation under
> gnutls_dh_params_generate2() it says[3]:
>
>   Also note that the DH parameters are only useful to servers. Since
>   clients use the parameters sent by the server, it's of no use to call
>   this in client side.
>
> Have a nice day,
>
> [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
> [2] http://developer.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c#rev1.2
> [3] http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-dh-params-generate2
> --
> Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> > tool for doing 5% of the work and then sitting around waiting for someone
> > else to do the other 95% so you can sue them.

[ Attachment, skipping... ]
-- End of PGP section, PGP failed!

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +