From: | tgl(at)postgresql(dot)org (Tom Lane) |
---|---|
To: | pgsql-committers(at)postgresql(dot)org |
Subject: | pgsql: Rearrange libpq's SSL initialization to simplify it and make it |
Date: | 2010-05-26 21:39:27 |
Message-ID: | 20100526213927.580BD7541D2@cvs.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Log Message:
-----------
Rearrange libpq's SSL initialization to simplify it and make it handle some
additional cases correctly. The original coding failed to load additional
(chain) certificates from the client cert file, meaning that indirectly signed
client certificates didn't work unless one hacked the server's root.crt file
to include intermediate CAs (not the desired approach). Another problem was
that everything got loaded into the shared SSL_context object, which meant
that concurrent connections trying to use different sslcert settings could
well fail due to conflicting over the single available slot for a keyed
certificate.
To fix, get rid of the use of SSL_CTX_set_client_cert_cb(), which is
deprecated anyway in the OpenSSL documentation, and instead just
unconditionally load the client cert and private key during connection
initialization. This lets us use SSL_CTX_use_certificate_chain_file(),
which does the right thing with additional certs, and is lots simpler than
the previous hacking about with BIO-level access. A small disadvantage is
that we have to load the primary client cert a second time with
SSL_use_certificate_file, so that that one ends up in the correct slot
within the connection's SSL object where it can get paired with the key.
Given the other overhead of making an SSL connection, that doesn't seem
worth worrying about.
Per discussion ensuing from bug #5468.
Modified Files:
--------------
pgsql/src/interfaces/libpq:
fe-connect.c (r1.392 -> r1.393)
(http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-connect.c?r1=1.392&r2=1.393)
fe-secure.c (r1.133 -> r1.134)
(http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/interfaces/libpq/fe-secure.c?r1=1.133&r2=1.134)
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2010-05-26 22:21:33 | pgsql: In walsender, don't sleep if there's outstanding WAL waiting to |
Previous Message | Tom Lane | 2010-05-26 20:47:14 | pgsql: Fix bogus error message for SSL-cert authentication, due to lack |