| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Ian Pilcher <arequipeno(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-03-19 13:41:25 |
| Message-ID: | 20130319134125.GD1327@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
On Tue, Mar 19, 2013 at 09:37:18PM +0800, Craig Ringer wrote:
> On 03/19/2013 08:39 PM, Stephen Frost wrote:
> > Craig,
> >
> > * Craig Ringer (craig(at)2ndquadrant(dot)com) wrote:
> >> Yep, in most applications I've seen you usually store a list of
> >> authorized SubjectDNs or you just use your own self-signed root and
> >> issue certs from it.
> >
> > Even with a self-signed root issuing certs, you need to map the
> > individual cert to a PG user in some fashion.
> >
>
> The more I look a this, the more it looks like trying to use
> intermediate CAs as authentication roots is largely wrong anyway. We
> should document this with something like:
>
> NOTE: Only self-signed root CA certificates should be added to
> ssl_ca_file. If you add an intermediate CA certificate (one that's not
> self-signed) then PostgreSQL will not be able to validate client
> certificates against it because it will not have access to the full
> certificate chain. You can't fix that by adding the full certificate
> chain then PostgreSQL will then accept client certificates trusted by
> any member of the chain, including the root, so the effect is the same
> as placing only the root certificate in the file. It is not currently
> possible to trust certificates signed by an intermediate CA but not the
> parents in its certificate chain.
>
> ... plus some explanation that having a valid trusted cert doesn't mean
> you're authorized for access, you still have to meet the requrements in
> pg_hba.conf, have a valid username/password or match an authorized
> certificate DN (depending on config), etc.
>
> As far as I'm concerned that's the immediate problem fixed. It may be
> worth adding a warning on startup if we find non-self-signed certs in
> root.crt too, something like 'WARNING: Intermediate certificate found in
> root.crt. This does not do what you expect and your configuration may be
> insecure; see the Client Certificates chapter in the documentation.'
Yes, I like this.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2013-03-19 13:46:16 | Re: Trust intermediate CA for client certificates |
| Previous Message | Craig Ringer | 2013-03-19 13:37:18 | Re: Trust intermediate CA for client certificates |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2013-03-19 13:46:16 | Re: Trust intermediate CA for client certificates |
| Previous Message | Craig Ringer | 2013-03-19 13:37:18 | Re: Trust intermediate CA for client certificates |