NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit7ac258c

committed

Fix multiple breakages in our support for SSL certificates.

1 parent9236c79 commit7ac258cCopy full SHA for 7ac258c

File tree

4 files changed

+112

-85

lines changed

doc/src/sgml
- libpq.sgml
- runtime.sgml
src
- backend/libpq
  - be-secure.c
- interfaces/libpq
  - fe-secure.c

4 files changed

+112

-85

lines changed

`‎doc/src/sgml/libpq.sgml`

Lines changed: 37 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.163 2004/09/23 13:31:09 momjian Exp $`
	`2`	`+$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.164 2004/09/26 22:51:49 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<chapter id="libpq">`
`@@ -233,22 +233,13 @@ PGconn PQconnectdb(const char conninfo);`
`233`	`233`
`234`	`234`	`<para>`
`235`	`235`	`If <productname>PostgreSQL</> is compiled without SSL support,`
`236`		`- using option <literal>require</> will cause an error,and`
	`236`	`+ using option <literal>require</> will cause an error,while`
`237`	`237`	`options <literal>allow</> and <literal>prefer</> will be`
`238`	`238`	`tolerated but <application>libpq</> will be unable to negotiate`
`239`	`239`	`an <acronym>SSL</>`
`240`	`240`	`connection.<indexterm><primary>SSL</><secondary`
`241`	`241`	`sortas="libpq">with libpq</></indexterm>`
`242`	`242`	`</para>`
`243`		`-`
`244`		`- <para>`
`245`		`- Please note that <acronym>SSL</> support in libpq covers`
`246`		`- encryption only. It will not verify the validity of the`
`247`		`- certificate presented by the server that you are connecting to,`
`248`		`- nor verify that the hostname matches that of the server's`
`249`		`- certificate. Additionally, there is no support for client`
`250`		`- certificates.`
`251`		`- </para>`
`252`	`243`	`</listitem>`
`253`	`244`	`</varlistentry>`
`254`	`245`
`@@ -3688,6 +3679,41 @@ If the permissions are less strict than this, the file will be ignored.`
`3688`	`3679`	`</para>`
`3689`	`3680`	`</sect1>`
`3690`	`3681`
	`3682`	`+`
	`3683`	`+<sect1 id="libpq-ssl">`
	`3684`	`+<title>SSL Support</title>`
	`3685`	`+`
	`3686`	`+<indexterm zone="libpq-ssl">`
	`3687`	`+ <primary>SSL</primary>`
	`3688`	`+</indexterm>`
	`3689`	`+`
	`3690`	`+ <para>`
	`3691`	`+ <productname>PostgreSQL</> has native support for using`
	`3692`	`+ <acronym>SSL</> connections to encrypt client/server communications`
	`3693`	`+ for increased security. See <xref linkend="ssl-tcp"> for details`
	`3694`	`+ about the server-side <acronym>SSL</> functionality.`
	`3695`	`+ </para>`
	`3696`	`+`
	`3697`	`+ <para>`
	`3698`	`+ If the server demands a client certificate,`
	`3699`	`+ <application>libpq</application>`
	`3700`	`+ will send the certificate stored in file`
	`3701`	`+ <filename>.postgresql/postgresql.crt</> within the user's home directory.`
	`3702`	`+ A matching private key file <filename>.postgresql/postgresql.key</>`
	`3703`	`+ must also be present, and must not be world-readable.`
	`3704`	`+ </para>`
	`3705`	`+`
	`3706`	`+ <para>`
	`3707`	`+ If the file <filename>.postgresql/root.crt</> is present in the user's`
	`3708`	`+ home directory,`
	`3709`	`+ <application>libpq</application> will use the certificate list stored`
	`3710`	`+ therein to verify the server's certificate. The SSL connection will`
	`3711`	`+ fail if the server does not present a certificate; therefore, to`
	`3712`	`+ use this feature the server must also have a <filename>root.crt</> file.`
	`3713`	`+ </para>`
	`3714`	`+</sect1>`
	`3715`	`+`
	`3716`	`+`
`3691`	`3717`	`<sect1 id="libpq-threading">`
`3692`	`3718`	`<title>Behavior in Threaded Programs</title>`
`3693`	`3719`

`‎doc/src/sgml/runtime.sgml`

Lines changed: 17 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.283 2004/09/23 13:15:57 momjian Exp $`
	`2`	`+$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.284 2004/09/26 22:51:49 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<Chapter Id="runtime">`
`@@ -804,7 +804,7 @@ SET ENABLE_SEQSCAN TO OFF;`
`804`	`804`	`<para>`
`805`	`805`	`Enables <acronym>SSL</> connections. Please read`
`806`	`806`	`<xref linkend="ssl-tcp"> before using this. The default`
`807`		`- is off.`
	`807`	`+ is off. This parameter can only be set at server start.`
`808`	`808`	`</para>`
`809`	`809`	`</listitem>`
`810`	`810`	`</varlistentry>`
@@ -4324,8 +4324,8 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
`4324`	`4324`	`The server will listen for both standard and <acronym>SSL</>`
`4325`	`4325`	`connections on the same TCP port, and will negotiate with any`
`4326`	`4326`	`connecting client on whether to use <acronym>SSL</>. See <xref`
`4327`		`- linkend="auth-pg-hba-conf"> about how toforce the server to`
`4328`		`- require use of <acronym>SSL</> forcertain connections.`
	`4327`	`+ linkend="auth-pg-hba-conf"> about how toset up the server to`
	`4328`	`+ require use of <acronym>SSL</> forsome or all connections.`
`4329`	`4329`	`</para>`
`4330`	`4330`
`4331`	`4331`	`<para>`
`@@ -4361,20 +4361,24 @@ chmod og-rwx server.key`
`4361`	`4361`
`4362`	`4362`	`<para>`
`4363`	`4363`	`If verification of client certificates is required, place the`
`4364`		`- certificates of the <acronym>CA</acronym> you wish to check for in`
	`4364`	`+ certificates of the <acronym>CA</acronym>(s) you wish to check for in`
`4365`	`4365`	`the file <filename>root.crt</filename> in the data directory. When`
`4366`	`4366`	`present, a client certificate will be requested from the client`
`4367`		`- making the connection and it must have been signed by one of the`
`4368`		`- certificates present in <filename>root.crt</filename>. If no`
`4369`		`- certificate is presented, the connection will be allowed to proceed`
`4370`		`- anway.`
	`4367`	`+ during SSL connection startup, and it must have been signed by one of the`
	`4368`	`+ certificates present in <filename>root.crt</filename>.`
`4371`	`4369`	`</para>`
`4372`	`4370`
`4373`	`4371`	`<para>`
`4374`		`- The <filename>root.crt</filename> file is always checked for, and`
`4375`		`- its absence will be noted through a message in the log. This is`
`4376`		`- merely an informative message that client certificates will not be`
`4377`		`- requested.`
	`4372`	`+ When the <filename>root.crt</filename> file is not present, client`
	`4373`	`+ certificates will not be requested or checked. In this mode, SSL`
	`4374`	`+ provides communication security but not authentication.`
	`4375`	`+ </para>`
	`4376`	`+`
	`4377`	`+ <para>`
	`4378`	`+ The files <filename>server.key</>, <filename>server.crt</>,`
	`4379`	`+ and <filename>root.crt</filename> are only examined during server`
	`4380`	`+ start; so you must restart the server to make changes in them take`
	`4381`	`+ effect.`
`4378`	`4382`	`</para>`
`4379`	`4383`	`</sect1>`
`4380`	`4384`

`‎src/backend/libpq/be-secure.c`

Lines changed: 15 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.50 2004/09/23 20:27:50 tgl Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.51 2004/09/26 22:51:49 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -117,7 +117,6 @@ static const char *SSLerrmessage(void);`
`117`	`117`	`*(total in both directions) before we require renegotiation.`
`118`	`118`	`*/`
`119`	`119`	`#defineRENEGOTIATION_LIMIT (512 * 1024 * 1024)`
`120`		`-#defineCA_PATH NULL`
`121`	`120`
`122`	`121`	`staticSSL_CTX*SSL_context=NULL;`
`123`	`122`	`#endif`
`@@ -412,12 +411,12 @@ static DH *`
`412`	`411`	`load_dh_file(intkeylength)`
`413`	`412`	`{`
`414`	`413`	`FILE*fp;`
`415`		`-charfnbuf[2048];`
	`414`	`+charfnbuf[MAXPGPATH];`
`416`	`415`	`DH*dh=NULL;`
`417`	`416`	`intcodes;`
`418`	`417`
`419`	`418`	`/* attempt to open file. It's not an error if it doesn't exist. */`
`420`		`-snprintf(fnbuf,sizeoffnbuf,"%s/dh%d.pem",DataDir,keylength);`
	`419`	`+snprintf(fnbuf,sizeof(fnbuf),"%s/dh%d.pem",DataDir,keylength);`
`421`	`420`	`if ((fp=fopen(fnbuf,"r"))==NULL)`
`422`	`421`	`returnNULL;`
`423`	`422`
`@@ -694,20 +693,26 @@ initialize_SSL(void)`
`694`	`693`	`if (SSL_CTX_set_cipher_list(SSL_context,"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")!=1)`
`695`	`694`	`elog(FATAL,"could not set the cipher list (no valid ciphers available)");`
`696`	`695`
`697`		`-/* accept client certificates, but don't require them. */`
	`696`	`+/*`
	`697`	`+ * Require and check client certificates only if we have a root.crt file.`
	`698`	`+ */`
`698`	`699`	`snprintf(fnbuf,sizeof(fnbuf),"%s/root.crt",DataDir);`
`699`		`-if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,CA_PATH))`
	`700`	`+if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,NULL))`
`700`	`701`	`{`
`701`	`702`	`/* Not fatal - we do not require client certificates */`
`702`	`703`	`ereport(LOG,`
`703`	`704`	`(errmsg("could not load root certificate file \"%s\": %s",`
`704`	`705`	`fnbuf,SSLerrmessage()),`
`705`	`706`	`errdetail("Will not verify client certificates.")));`
`706`		`-return0;`
`707`	`707`	`}`
`708`		`-SSL_CTX_set_verify(SSL_context,`
`709`		`-SSL_VERIFY_PEER \|SSL_VERIFY_CLIENT_ONCE,`
`710`		`-verify_cb);`
	`708`	`+else`
	`709`	`+{`
	`710`	`+SSL_CTX_set_verify(SSL_context,`
	`711`	`+ (SSL_VERIFY_PEER \|`
	`712`	`+SSL_VERIFY_FAIL_IF_NO_PEER_CERT \|`
	`713`	`+SSL_VERIFY_CLIENT_ONCE),`
	`714`	`+verify_cb);`
	`715`	`+}`
`711`	`716`
`712`	`717`	`return0;`
`713`	`718`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7ac258c

File tree

4 files changed

4 files changed

`‎doc/src/sgml/libpq.sgml`

`‎doc/src/sgml/runtime.sgml`

`‎src/backend/libpq/be-secure.c`

0 commit comments