NotificationsYou must be signed in to change notification settings
Fork28
Star153

Commit15b95cf

committed

Allow SSL to work withouth client-side certificate infrastructure.

1 parentc889c9c commit15b95cfCopy full SHA for 15b95cf

File tree

3 files changed

+18

-3

lines changed

doc/src/sgml
- runtime.sgml
src
- backend/libpq
  - be-secure.c
- interfaces/libpq
  - fe-secure.c

3 files changed

+18

-3

lines changed

`‎doc/src/sgml/runtime.sgml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.139 2002/09/25 21:16:10 petere Exp $`
	`2`	`+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.140 2002/09/26 04:41:54 momjian Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<Chapter Id="runtime">`
`@@ -2876,6 +2876,7 @@ openssl rsa -in privkey.pem -out cert.pem`
`2876`	`2876`	`Enter the old passphrase to unlock the existing key. Now do`
`2877`	`2877`	`<programlisting>`
`2878`	`2878`	`openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert`
	`2879`	`+chmod og-rwx cert.pem`
`2879`	`2880`	`cp cert.pem <replaceable>$PGDATA</replaceable>/server.key`
`2880`	`2881`	`cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt`
`2881`	`2882`	`</programlisting>`

`‎src/backend/libpq/be-secure.c‎`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.14 2002/09/04 23:31:34 tgl Exp $`
	`14`	`+ * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15 2002/09/26 04:41:54 momjian Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -642,9 +642,13 @@ initialize_SSL(void)`
`642`	`642`	`snprintf(fnbuf,sizeoffnbuf,"%s/root.crt",DataDir);`
`643`	`643`	`if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,CA_PATH))`
`644`	`644`	`{`
	`645`	`+return0;`
	`646`	`+#ifdefNOT_USED`
	`647`	`+/* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */`
`645`	`648`	`postmaster_error("could not read root cert file (%s): %s",`
`646`	`649`	`fnbuf,SSLerrmessage());`
`647`	`650`	`ExitPostmaster(1);`
	`651`	`+#endif`
`648`	`652`	`}`
`649`	`653`	`SSL_CTX_set_verify(SSL_context,`
`650`	`654`	`SSL_VERIFY_PEER \|SSL_VERIFY_CLIENT_ONCE,verify_cb);`

`‎src/interfaces/libpq/fe-secure.c‎`

Lines changed: 11 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.13 2002/09/22 20:57:21 petere Exp $`
	`14`	`+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.14 2002/09/26 04:41:55 momjian Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`* The client requires a valid server certificate. Since`
`@@ -726,10 +726,14 @@ initialize_SSL(PGconn *conn)`
`726`	`726`	`pwd->pw_dir);`
`727`	`727`	`if (stat(fnbuf,&buf)==-1)`
`728`	`728`	`{`
	`729`	`+return0;`
	`730`	`+#ifdefNOT_USED`
	`731`	`+/* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */`
`729`	`732`	`printfPQExpBuffer(&conn->errorMessage,`
`730`	`733`	`libpq_gettext("could not read root certificate list (%s): %s\n"),`
`731`	`734`	`fnbuf,strerror(errno));`
`732`	`735`	`return-1;`
	`736`	`+#endif`
`733`	`737`	`}`
`734`	`738`	`if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,0))`
`735`	`739`	`{`
`@@ -789,6 +793,8 @@ open_client_SSL(PGconn *conn)`
`789`	`793`
`790`	`794`	`/* check the certificate chain of the server */`
`791`	`795`
	`796`	`+#ifdefNOT_USED`
	`797`	`+/* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */`
`792`	`798`	`/*`
`793`	`799`	`* this eliminates simple man-in-the-middle attacks and simple`
`794`	`800`	`* impersonations`
`@@ -802,6 +808,7 @@ open_client_SSL(PGconn *conn)`
`802`	`808`	`close_SSL(conn);`
`803`	`809`	`return-1;`
`804`	`810`	`}`
	`811`	`+#endif`
`805`	`812`
`806`	`813`	`/* pull out server distinguished and common names */`
`807`	`814`	`conn->peer=SSL_get_peer_certificate(conn->ssl);`
`@@ -824,6 +831,8 @@ open_client_SSL(PGconn *conn)`
`824`	`831`
`825`	`832`	`/* verify that the common name resolves to peer */`
`826`	`833`
	`834`	`+#ifdefNOT_USED`
	`835`	`+/* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */`
`827`	`836`	`/*`
`828`	`837`	`* this is necessary to eliminate man-in-the-middle attacks and`
`829`	`838`	`* impersonations where the attacker somehow learned the server's`
`@@ -834,6 +843,7 @@ open_client_SSL(PGconn *conn)`
`834`	`843`	`close_SSL(conn);`
`835`	`844`	`return-1;`
`836`	`845`	`}`
	`846`	`+#endif`
`837`	`847`
`838`	`848`	`return0;`
`839`	`849`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit15b95cf

File tree

3 files changed

3 files changed

`‎doc/src/sgml/runtime.sgml‎`

`‎src/backend/libpq/be-secure.c‎`

`‎src/interfaces/libpq/fe-secure.c‎`

0 commit comments