Bruce Momjian wrote:
> Peter Eisentraut wrote:
> > Using the attached patch, SSL will act over Unix-domain sockets. AFAICT,
> > this just works. I didn't find a way to sniff a Unix-domain socket,
> > however.
> >
> > How should we proceed with this?
>
> I am confused by the shortness of this patch. Right now pg_hba.conf
> has:
>
> # host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
> # hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
> # hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
>
> These are all for TCP connections. How do we handle 'local' SSL
> connection specification? Do we want to provide similar functionality
> for local connections?
Here is a patch that implements "localssl" as well. It is quite simple.
(Note that the code in hba.c is all copy and paste.)
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
diff -ur ../cvs-pgsql/doc/src/sgml/client-auth.sgml ./doc/src/sgml/client-auth.sgml
--- ../cvs-pgsql/doc/src/sgml/client-auth.sgml 2008-01-05 11:58:42.000000000 +0100
+++ ./doc/src/sgml/client-auth.sgml 2008-01-05 13:55:28.000000000 +0100
@@ -97,6 +97,8 @@
A record can have one of the seven formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
+localssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
+localnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-option</replaceable></optional>
@@ -112,8 +114,36 @@
<listitem>
<para>
This record matches connection attempts using Unix-domain
- sockets. Without a record of this type, Unix-domain socket
- connections are disallowed.
+ sockets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>localssl</literal></term>
+ <listitem>
+ <para>
+ This record matches connection attempts using Unix-domain
+ sockets, but only when the connection is made with <acronym>SSL</acronym>.
+ </para>
+
+ <para>
+ To make use of this option the server must be built with
+ <acronym>SSL</acronym> support. Furthermore,
+ <acronym>SSL</acronym> must be enabled at server start time
+ by setting the <xref linkend="guc-ssl"> configuration parameter (see
+ <xref linkend="ssl-tcp"> for more information).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>localnossl</literal></term>
+ <listitem>
+ <para>
+ This record type has the opposite logic to <literal>localssl</>:
+ it only matches connection attempts made over Unix-domain sockets
+ that do not use <acronym>SSL</acronym>.
</para>
</listitem>
</varlistentry>
@@ -144,8 +174,7 @@
<listitem>
<para>
This record matches connection attempts made using TCP/IP,
- but only when the connection is made with <acronym>SSL</acronym>
- encryption.
+ but only when the connection is made with <acronym>SSL</acronym>.
</para>
<para>
diff -ur ../cvs-pgsql/src/backend/libpq/hba.c ./src/backend/libpq/hba.c
--- ../cvs-pgsql/src/backend/libpq/hba.c 2008-01-05 11:58:45.000000000 +0100
+++ ./src/backend/libpq/hba.c 2008-01-05 12:12:54.000000000 +0100
@@ -668,8 +668,36 @@
line_item = list_head(line);
/* Check the record type. */
token = lfirst(line_item);
- if (strcmp(token, "local") == 0)
+ if (strcmp(token, "local") == 0
+ || strcmp(token, "localssl") == 0
+ || strcmp(token, "localnossl") == 0)
{
+
+ if (token[5] == 's') /* "localssl" */
+ {
+#ifdef USE_SSL
+ /* Record does not match if we are not on an SSL connection */
+ if (!port->ssl)
+ return;
+
+ /* Placeholder to require specific SSL level, perhaps? */
+ /* Or a client certificate */
+
+ /* Since we were on SSL, proceed as with normal 'local' mode */
+#else
+ /* We don't accept this keyword at all if no SSL support */
+ goto hba_syntax;
+#endif
+ }
+#ifdef USE_SSL
+ else if (token[5] == 'n') /* "localnossl" */
+ {
+ /* Record does not match if we are on an SSL connection */
+ if (port->ssl)
+ return;
+ }
+#endif
+
/* Get the database. */
line_item = lnext(line_item);
if (!line_item)
diff -ur ../cvs-pgsql/src/backend/libpq/pg_hba.conf.sample ./src/backend/libpq/pg_hba.conf.sample
--- ../cvs-pgsql/src/backend/libpq/pg_hba.conf.sample 2007-08-11 19:12:25.000000000 +0200
+++ ./src/backend/libpq/pg_hba.conf.sample 2008-01-05 12:17:27.000000000 +0100
@@ -10,15 +10,18 @@
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTION]
+# localssl DATABASE USER METHOD [OPTION]
+# localnossl DATABASE USER METHOD [OPTION]
# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
#
# (The uppercase items must be replaced by actual values.)
#
-# The first field is the connection type: "local" is a Unix-domain socket,
-# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
-# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is a TCP/IP socket, both either a plain or
+# SSL-encrypted. "localssl" and "hostssl" are SSL-encrypted sockets;
+# "localnossl" and "hostnossl" are plain sockets.
#
# DATABASE can be "all", "sameuser", "samerole", a database name, or
# a comma-separated list thereof.
diff -ur ../cvs-pgsql/src/backend/postmaster/postmaster.c ./src/backend/postmaster/postmaster.c
--- ../cvs-pgsql/src/backend/postmaster/postmaster.c 2008-01-05 11:58:46.000000000 +0100
+++ ./src/backend/postmaster/postmaster.c 2008-01-05 12:17:13.000000000 +0100
@@ -1448,8 +1448,8 @@
char SSLok;
#ifdef USE_SSL
- /* No SSL when disabled or on Unix sockets */
- if (!EnableSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
+ /* No SSL when disabled */
+ if (!EnableSSL)
SSLok = 'N';
else
SSLok = 'S'; /* Support for SSL */
diff -ur ../cvs-pgsql/src/interfaces/libpq/fe-connect.c ./src/interfaces/libpq/fe-connect.c
--- ../cvs-pgsql/src/interfaces/libpq/fe-connect.c 2008-01-05 11:58:53.000000000 +0100
+++ ./src/interfaces/libpq/fe-connect.c 2008-01-05 12:17:13.000000000 +0100
@@ -1261,11 +1261,6 @@
* If SSL is enabled and we haven't already got it running,
* request it instead of sending the startup message.
*/
- if (IS_AF_UNIX(conn->raddr.addr.ss_family))
- {
- /* Don't bother requesting SSL over a Unix socket */
- conn->allow_ssl_try = false;
- }
if (conn->allow_ssl_try && !conn->wait_ssl_try &&
conn->ssl == NULL)
{
---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
http://archives.postgresql.org
