On Mon, Sep 12, 2011 at 07:37:23PM +0200, Magnus Hagander wrote: > On Mon, Sep 12, 2011 at 19:21, David Fetter <da...@fetter.org> wrote: > > On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote: > >> > >> The following bug has been logged online: > >> > >> Bug reference: 6189 > >> Logged by: Srinivas Aji > >> Email address: srinivas....@emc.com > >> PostgreSQL version: 9.0.4 > >> Operating system: Linux > >> Description: libpq: sslmode=require verifies server certificate if > >> root.crt is present > >> Details: > >> > >> >From the documentation of sslmode values in > >> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html , > >> it looks like libpq will not verify the server certificate when the option > >> sslmode=require is used, and will perform different levels of certificate > >> verification in the cases sslmode=verify-ca and sslmode=verify-full. > >> > >> The observed behaviour is a bit different. If the ~/.postgresql/root.crt > >> file (or any other filename set through sslrootcert option) is found, > >> sslmode=require also performs the same level of certificate verification as > >> verify-ca. The difference between require and verify-ca is that it is an > >> error for the file to not exist when sslmode is verify-ca. > >> > >> Thanks, > >> Srinivas > > > > It looks to me like there could at least in theory be an attack vector > > or two that we're not covering with this bug. Anybody want to tackle > > same? > > I haven't checked the code yet, but from the report it sounds like > we're checking *too much* - how could that be an attack vector?
Well, "too much checking," classically, is a source of denial of service attacks. It's not a super likely source, but it's a source, and it'd be better to fix it than leave it lie. :) Cheers, David. -- David Fetter <da...@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fet...@gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
