Re: [HACKERS] src/test/ssl broken on HEAD

Tue, 15 Sep 2015 17:25:02 -0700 

On 9/2/15 7:15 PM, Andres Freund wrote:
>>     Add a regression test suite for SSL support.
>>
>>     It's not run by the global "check" or "installcheck" targets, because the
>>     temporary installation it creates accepts TCP connections from any user
>>     the same host, which is insecure.
> 
> We could just implement SSL over unix sockets. Obviously the
> connection-encryption aspect isn't actually useful, but e.g. client
> certs still make sense.  Besides, it allows to avoid concerns like the
> above...

See old discussion here:
http://www.postgresql.org/message-id/49ca2524.5010...@gmx.net

At the time, we didn't have this test suite, obviously, so the utility
would be have been limited, but now it looks quite interesting.

The only trick, as I remember, was that clients tend to prefer SSL
automatically, which we probably don't want for Unix-domain sockets, so
we'd need to tweak those settings a bit.

The "old patch" referred to in that old thread wasn't actually attached,
so here it is, for amusement.

diff -ur ../cvs-pgsql/src/backend/postmaster/postmaster.c ./src/backend/postmaster/postmaster.c
--- ../cvs-pgsql/src/backend/postmaster/postmaster.c	2008-01-04 15:55:25.000000000 +0100
+++ ./src/backend/postmaster/postmaster.c	2008-01-04 16:44:35.000000000 +0100
@@ -1448,8 +1448,8 @@
 		char		SSLok;
 
 #ifdef USE_SSL
-		/* No SSL when disabled or on Unix sockets */
-		if (!EnableSSL || IS_AF_UNIX(port->laddr.addr.ss_family))
+		/* No SSL when disabled */
+		if (!EnableSSL)
 			SSLok = 'N';
 		else
 			SSLok = 'S';		/* Support for SSL */
diff -ur ../cvs-pgsql/src/interfaces/libpq/fe-connect.c ./src/interfaces/libpq/fe-connect.c
--- ../cvs-pgsql/src/interfaces/libpq/fe-connect.c	2008-01-04 15:55:31.000000000 +0100
+++ ./src/interfaces/libpq/fe-connect.c	2008-01-04 16:51:09.000000000 +0100
@@ -1261,11 +1261,6 @@
 				 * If SSL is enabled and we haven't already got it running,
 				 * request it instead of sending the startup message.
 				 */
-				if (IS_AF_UNIX(conn->raddr.addr.ss_family))
-				{
-					/* Don't bother requesting SSL over a Unix socket */
-					conn->allow_ssl_try = false;
-				}
 				if (conn->allow_ssl_try && !conn->wait_ssl_try &&
 					conn->ssl == NULL)
 				{

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to