patch for SSL cleanup, client certificates

From: Bear Giles <bear(at)coyotesong(dot)com>
To: pgsql-patches(at)postgresql(dot)org
Subject: patch for SSL cleanup, client certificates
Date: 2002-05-17 05:09:04
Message-ID: 200205170509.XAA03262@eris.coyotesong.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Attached is a patch that includes some SSL cleanup and adds support for
client certificates. The visible changes are:

1) postmaster logs anonymous SSL connections:

DEBUG: SSL connection from (anonymous) with cipher EDH-RSA-DES-CBC3-SHA

2) postmaster logs SSL connections with client certificates:

DEBUG: SSL connection from Bear Giles with cipher EDH-RSA-DES-CBC3-SHA

(The postmaster will also log any errors in the certificate.)

3) libpq recognizes two new environment variables/configuration file
options

PQCLIENTCERT: pathname of client certificate
PQCLIENTKEY: pathname of client key

At the current time, only unencrypted keys are supported.
There is a prototype callback that prompts the user for an
encryption passphrase, but it's not yet activated.

For security reasons, the key file must be a regular file
that is not world- or group-accessible. It should also be
owned by the server or user, but this is not yet checked.

The client cert, if provided, is available at 'port->peer', but
this value is not yet used to map a client cert into a PostgreSQL
user.

The patch also provides some cleanup of the SSL calls:

1) proper error checking for SSL_read() and SSL_write().
(You need to call SSL_get_error(), not just check the system
errno.)

2) proper shutdown of the SSL connection, at least on the client
side. Simply closing the socket is a sadly common error.
(SSL_shutdown()).

3) Empheral DH keys have been added, with fallbacks provided from
the OpenSSL source code.

4) keys must be regular files and not world- or group-accessible.
They should also be owned by the postmaster or client, but I
haven't added that test yet.

Unfortunately the error messages if the permissions tests fail
are cryptic at best. This definitely needs improvement!

Some serious work remains:

1) we should move towards TLSv1 instead of SSLv3 or SSLv2.
But this may have unforeseen consequences so we should make
sure everything else is working well first.

2) we need to provide a way to specify a good entropy source,
if one is available.

3) we need to provide a trigger to renegotiate the session key.
(E.g., renegotiate the session key after N hours or X megabytes
of data.)

4) certificates should be better validated.

5) backend/libpq/hba.c needs to be extended to support mapping
from client cert to database identity.

Bear

Attachment Content-Type Size
diff text/plain 27.5 KB

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Peter Eisentraut 2002-05-17 13:37:05 Re: [INTERFACES] libpgtcl - backend version information patch
Previous Message Nigel J. Andrews 2002-05-16 22:49:18 libpgtcl - backend version information patch