Re: [HACKERS] Fwd: SSL auth question
Thank you for answer! I know it. So, my second questions is: How can I add support of this extension in PostgreSQL. So, I want to do thing, that PostgreSQL accept connection with cert auth method and certificate has my extension with critical flag? 03.04.2014, 04:33, Wim Lewis w...@omnigroup.com: On 1 Apr 2014, at 11:38 PM, carriingfat...@ya.ru wrote: I set certificate auth on postgresql 9.3. I generate SSL certificate with my custom extension. So, OpenSSL read it, PostgreSQL accept it if this extension is not critical, but if I set this extension critical, PostgreSQL deny connection. I think that is the correct behavior. The critical bit tells PostgreSQL (or other software) what to do if it does not understand the extension: if there's an unknown extension with the critical bit set, then the certificate can't be validated. If the critical bit is not set, then the unknown extension is ignored, and the certificate is processed as if the extension weren't there. See this section of RFC 5280: http://tools.ietf.org/html/rfc5280#section-4.2 The idea is that you can set the critical bit for extensions that are supposed *restrict* the usability of the certificate, so that the certificate won't be used in undesired ways by software that doesn't understand the extension. Best regards, Dmitry Voronin -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Fwd: SSL auth question
=?koi8-r?B?98/Sz87JziDkzcnU0snK?= carriingfat...@yandex.ru writes: I know it. So, my second questions is: How can I add support of this extension in PostgreSQL. So, I want to do thing, that PostgreSQL accept connection with cert auth method and certificate has my extension with critical flag? Seems like this is a question you should direct to OpenSSL people, not us. Postgres itself knows nothing to speak of about SSL certificates; it just delegates all that processing to openssl. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Fwd: SSL auth question
On Wed, Apr 2, 2014 at 2:38 AM, carriingfat...@ya.ru wrote: I set certificate auth on postgresql 9.3. I generate SSL certificate with my custom extension. So, OpenSSL read it, PostgreSQL accept it if this extension is not critical, but if I set this extension critical, PostgreSQL deny connection. How can I prevent it? Where PostgreSQL try to read SSL extension? I don't know what it means to set an extension critical. If you provide enough details for someone to reproduce the exact scenario you tried, someone may be able to help. Otherwise, probably not. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Fwd: SSL auth question
On 1 Apr 2014, at 11:38 PM, carriingfat...@ya.ru wrote: I set certificate auth on postgresql 9.3. I generate SSL certificate with my custom extension. So, OpenSSL read it, PostgreSQL accept it if this extension is not critical, but if I set this extension critical, PostgreSQL deny connection. I think that is the correct behavior. The critical bit tells PostgreSQL (or other software) what to do if it does not understand the extension: if there's an unknown extension with the critical bit set, then the certificate can't be validated. If the critical bit is not set, then the unknown extension is ignored, and the certificate is processed as if the extension weren't there. See this section of RFC 5280: http://tools.ietf.org/html/rfc5280#section-4.2 The idea is that you can set the critical bit for extensions that are supposed *restrict* the usability of the certificate, so that the certificate won't be used in undesired ways by software that doesn't understand the extension. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers