| From: | "Dan Kaminsky" <dan(at)doxpara(dot)com> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #4340: SECURITY: Is SSL Doing Anything? |
| Date: | 2008-08-04 15:14:41 |
| Message-ID: | 200808041514.m74FEfZL097603@wwwmaster.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged online:
Bug reference: 4340
Logged by: Dan Kaminsky
Email address: dan(at)doxpara(dot)com
PostgreSQL version: 7.3
Operating system: Any
Description: SECURITY: Is SSL Doing Anything?
Details:
http://www.google.com/codesearch?hl=en&q=verify_cb+package:http://ring.atr.j
p/archives/misc/db/postgresql-jp/7.3beta/postgresql-7.3b1.tar.gz+show:T2MIh9
GrfhE:LRGuIfOPoEk:-Eemn4ZpAKY&sa=N&cd=1&ct=rc&cs_p=http://ring.atr.jp/archiv
es/misc/db/postgresql-jp/7.3beta/postgresql-7.3b1.tar.gz&cs_f=postgresql-7.3
b1/src/interfaces/libpq/fe-secure.c#l355
/*
* Certificate verification callback
*
* This callback allows us to log intermediate problems during
* verification, but there doesn't seem to be a clean way to get
* our PGconn * structure. So we can't log anything!
*
* This callback also allows us to override the default acceptance
* criteria (e.g., accepting self-signed or expired certs), but
* for now we accept the default checks.
*/
static int
verify_cb(int ok, X509_STORE_CTX *ctx)
{
return ok;
}
---
Clearly, this is handling self-signed certs. Great. But what I really want
to know is, is verify_peer accepting a self-signed identity assertion?
Because that'd be remote EoP.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-08-04 15:50:12 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Previous Message | Bhaskar Sirohi | 2008-08-04 11:02:09 | BUG #4339: The postgreSQL service stops abnormally |