Thread: [PATCH] Remove useless DH param code on client side
In the SSL code in libpq it does some processing with DH parameters: SSL_CTX_set_tmp_dh_callback() This function is marked as server use only[1], the client always uses the DH parameters in the server, so all the code in the client dealing with the DH parameters is useless. This patch removes it. It's not clear why the code was added in the first place, it's been there almost since the beginning[2]. At the time there was a suggestion of merging the front-end and backend SSL code, but looking at the changes since, that seems unlikely. As a further example, the s_server program allows you to specify DH params, but s_client doesn't. In the GnuTLS documentation under gnutls_dh_params_generate2() it says[3]: Also note that the DH parameters are only useful to servers. Since clients use the parameters sent by the server, it's of no use to call this in client side. Have a nice day, [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html# [2] http://developer.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c#rev1.2 [3] http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-dh-params-generate2 -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment
Martijn van Oosterhout <kleptog@svana.org> writes: > It's not clear why the code was added in the first place, I thought it was there to support client-side authentication (ie, verifying the server's certificate). We don't support that right now but we ought to. regards, tom lane
On Wed, Apr 12, 2006 at 10:00:29AM -0400, Tom Lane wrote: > Martijn van Oosterhout <kleptog@svana.org> writes: > > It's not clear why the code was added in the first place, > > I thought it was there to support client-side authentication (ie, > verifying the server's certificate). We don't support that right > now but we ought to. That's there AFAICS, using the functions: SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb) That has nothing to do with DH params though, which are purely used to generate a secret key during negotiation. The server sends you the DH params as part of the negotiation, the client doesn't need any itself. http://en.wikipedia.org/wiki/Diffie-Hellman Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment
Patch applied. Thanks. --------------------------------------------------------------------------- Martijn van Oosterhout wrote: -- Start of PGP signed section. > In the SSL code in libpq it does some processing with DH parameters: > > SSL_CTX_set_tmp_dh_callback() > > This function is marked as server use only[1], the client always uses > the DH parameters in the server, so all the code in the client dealing > with the DH parameters is useless. This patch removes it. > > It's not clear why the code was added in the first place, it's been > there almost since the beginning[2]. At the time there was a suggestion > of merging the front-end and backend SSL code, but looking at the > changes since, that seems unlikely. > > As a further example, the s_server program allows you to specify DH > params, but s_client doesn't. In the GnuTLS documentation under > gnutls_dh_params_generate2() it says[3]: > > Also note that the DH parameters are only useful to servers. Since > clients use the parameters sent by the server, it's of no use to call > this in client side. > > Have a nice day, > > [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html# > [2] http://developer.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c#rev1.2 > [3] http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-dh-params-generate2 > -- > Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > > tool for doing 5% of the work and then sitting around waiting for someone > > else to do the other 95% so you can sue them. [ Attachment, skipping... ] -- End of PGP section, PGP failed! -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +