Jan Wieck wrote: > Bruce Momjian wrote: > > > > Because the new 7.3 SSL code doesn't work (per Peter), and the author is > > not responding, I am about to yank out that code. Peter suggests > > ripping out all the new code rather than try to pick around and remove > > just the broken parts. > > Agreed. I allways wondered what SSL DB-connections are good for.
OK, I have aplied the following patch to allow SSL to work without client certificates. There was some confusion in the code because while the comments said client certificates were not required, the infrastructure on the client side was required. This patch removes the requirement, and adds a comment so Bear can make adjustments for 7.4. I don't think we ever want to _require_ client-side certificates. I did not remove the code because after quick review I saw that his code actually filled in areas our pre-7.3 code was missing. I will have him review this patch and make any adjustments. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql-server/doc/src/sgml/runtime.sgml,v retrieving revision 1.139 diff -c -c -r1.139 runtime.sgml *** doc/src/sgml/runtime.sgml 25 Sep 2002 21:16:10 -0000 1.139 --- doc/src/sgml/runtime.sgml 26 Sep 2002 04:36:08 -0000 *************** *** 2876,2881 **** --- 2876,2882 ---- Enter the old passphrase to unlock the existing key. Now do <programlisting> openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert + chmod og-rwx cert.pem cp cert.pem <replaceable>$PGDATA</replaceable>/server.key cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt </programlisting> Index: src/backend/libpq/be-secure.c =================================================================== RCS file: /cvsroot/pgsql-server/src/backend/libpq/be-secure.c,v retrieving revision 1.14 diff -c -c -r1.14 be-secure.c *** src/backend/libpq/be-secure.c 4 Sep 2002 23:31:34 -0000 1.14 --- src/backend/libpq/be-secure.c 26 Sep 2002 04:36:12 -0000 *************** *** 642,650 **** --- 642,654 ---- snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir); if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH)) { + return 0; + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ postmaster_error("could not read root cert file (%s): %s", fnbuf, SSLerrmessage()); ExitPostmaster(1); + #endif } SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb); Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /cvsroot/pgsql-server/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.13 diff -c -c -r1.13 fe-secure.c *** src/interfaces/libpq/fe-secure.c 22 Sep 2002 20:57:21 -0000 1.13 --- src/interfaces/libpq/fe-secure.c 26 Sep 2002 04:36:23 -0000 *************** *** 726,735 **** --- 726,739 ---- pwd->pw_dir); if (stat(fnbuf, &buf) == -1) { + return 0; + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not read root certificate list (%s): %s\n"), fnbuf, strerror(errno)); return -1; + #endif } if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0)) { *************** *** 789,794 **** --- 793,800 ---- /* check the certificate chain of the server */ + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this eliminates simple man-in-the-middle attacks and simple * impersonations *************** *** 802,807 **** --- 808,814 ---- close_SSL(conn); return -1; } + #endif /* pull out server distinguished and common names */ conn->peer = SSL_get_peer_certificate(conn->ssl); *************** *** 824,829 **** --- 831,838 ---- /* verify that the common name resolves to peer */ + #ifdef NOT_USED + /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this is necessary to eliminate man-in-the-middle attacks and * impersonations where the attacker somehow learned the server's *************** *** 834,839 **** --- 843,849 ---- close_SSL(conn); return -1; } + #endif return 0; }
---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly