| From: | Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)postgreSQL(dot)org" <pgsql-hackers(at)postgreSQL(dot)org>, Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>, Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: libpq should not be using SSL_CTX_set_client_cert_cb |
| Date: | 2010-05-26 15:52:38 |
| Message-ID: | 20100526155238.GA11419@isc.upenn.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, May 26, 2010 at 10:54:42AM -0400, Tom Lane wrote:
> Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> > I am guessing the problem is that validating the presented chain is hard?
>
> No, the problem is that the current libpq code fails to present the
> chain at all. It will only load and send the first cert in the
> postgresql.crt file. This works only when the client's cert is signed
> directly by one of the CAs trusted by the server.
Sorry, I just re-read your original message. You were clear, but I read
it wrong.
This is much less limiting than what I thought was being suggested. Having
a user's credentials work with only one trust anchor isn't that bad. I am
not familiar enough with openssl to know if there is a specific pitfall to
the change you suggested (which I think was what you were asking)..
One could make it work with multiple TAs in a similar fashion if it also
checked for the existence of a directory (like: ~/.postgresql/client_ta ) to
store chains to each supported TA by fingerprint.
That might not be worth the effort at this point...
Garick
>
> regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2010-05-26 16:03:42 | Re: Exposing the Xact commit order to the user |
| Previous Message | Steve Singer | 2010-05-26 15:43:45 | Re: Exposing the Xact commit order to the user |