Re: [HACKERS] Trust intermediate CA for client certificates

From: Craig Ringer <craig(at)2ndquadrant(dot)com>
To: Ian Pilcher <arequipeno(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org, tgl(at)sss(dot)pgh(dot)pa(dot)us, stellr(at)vt(dot)edu, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [HACKERS] Trust intermediate CA for client certificates
Date: 2013-03-18 07:10:11
Message-ID: 5146BDD3.5080902@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

On 03/18/2013 02:27 PM, Ian Pilcher wrote:
> On 03/18/2013 12:07 AM, Craig Ringer wrote:
>> So this problem is verified.

> * Trusted certificates - What currently goes in the (unfortunately
> named) root.crt file.

Well, a little unfortunate. It contains roots of *client authentication*
trust, which is fair enough, they just aren't necessarily self-signed
certificates that are roots of *certificate validity* trust (root CA certs).

This list is set by SSL_CTX_set_client_CA_list . The examples section of
its man page contains:

Scan all certificates in CAfile and list them as acceptable CAs:

SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

> * Validation-only certificates - CA certificates that are used only to
> complete the chain from a trusted certificate to a self-signed root.
> I haven't been able to come up with a particularly good name for a
> file containing this type of certificate(s) -- validate.crt?

We should probably take advantage of the fact that 9.2 made these
filenames configurable to deprecate root.crt and choose two descriptive
filenames, something like trusted_cert_roots.crt and
trusted_client_cert_signers.crt .

> This is conceptually simple, and I've been fiddling with it for the last
> week or so. Unfortunately, the OpenSSL documentation has made this far
> more challenging that it should be. Simple things like reading multiple
> certificates from a file, checking whether an X509_STORE contains a
> particular certificate, etc. are all proving to be unexpectedly
> difficult. (I never thought that I'd miss the Java SSL API!)

Apache's sources are useful there. When working with OpenSSL sometimes
the sanest option is to find something you know already does it right,
work out how, *understand why it works* and then apply that approach to
your code. Blindly copying their approach is stupid and guaranteed to
lead to security holes, but others' code remains some of the best
documentation for OpenSSL if used for hints rather than blindly copied.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Charl Roux 2013-03-18 10:25:05 Re: C++Builder table exist
Previous Message Craig Ringer 2013-03-18 07:01:17 Re: Trust intermediate CA for client certificates

Browse pgsql-hackers by date

  From Date Subject
Next Message robins 2013-03-18 07:29:12 Re: Patch to add regression tests for SCHEMA
Previous Message Craig Ringer 2013-03-18 07:01:17 Re: Trust intermediate CA for client certificates