| From: | Lou Picciano <loupicciano(at)comcast(dot)net> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | kzuk(at)akamai(dot)com, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection |
| Date: | 2016-09-21 11:16:10 |
| Message-ID: | 88224499.27838527.1474456570201.JavaMail.zimbra@comcast.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Heikki -
Would also be happy to set up a test case for this.... Impacts us directly.
Need a couple of days to do so, though. Please let me know your timeline.
Lou Picciano
----- Original Message -----
From: "Heikki Linnakangas" <hlinnaka(at)iki(dot)fi>
To: kzuk(at)akamai(dot)com, pgsql-bugs(at)postgresql(dot)org
Sent: Wednesday, September 21, 2016 4:06:33 AM
Subject: Re: [BUGS] BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection
On 09/20/2016 01:10 PM, kzuk(at)akamai(dot)com wrote:
> My educated guess is that in fe-secure-openssl.c in initialize_SSL function
> whole certificate chain is loaded into SSL_context, but only client
> certificate is loaded to SSL object. SSL object is created before loading
> certificate chain into SSL_context, so it doesn't see this update. Only the
> next connection, with new SSL object, picks up the certificate chain from
> SSL_context. It doesn't explain why it works with OpenSSL 1.0.1 though, so
> that may be a false trail.
Yeah, that's probably what's happening. The OpenSSL man page for
SSL_CTX_use_certificate() says:
> The SSL_CTX_* class of functions loads the certificates and keys into
> the SSL_CTX object ctx. The information is passed to SSL objects ssl
> created from ctx with SSL_new by copying, so that changes applied to
> ctx do not propagate to already existing SSL objects.
It says the same in both 1.0.1 and 1.0.2 versions, though. I guess we
have been relying on a bug that was fixed in 1.0.2, in that the
intermediate CA certs were actually propagated from the context to the
existing SSL object, contrary to what the man page says. I don't
immediately see any relevant change in the OpenSSL commit logs between
1.0.1 and 1.0.2, though.
I think we need to rearrange the code so that we call
SSL_CTX_use_certificate() first, and SSL_new() after that. I wonder if
that's going to break 1.0.1, though.
Setting up a test environment with the required certificates and CAs is
a bit tedious. Would you be interested in adding a test case for this in
the SSL test suite, in src/test/ssl, and posting a patch for that? I can
take a stab at fixing this, but having a test case ready would give me a
head start.
- Heikki
--
Sent via pgsql-bugs mailing list (pgsql-bugs(at)postgresql(dot)org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2016-09-21 11:49:29 | Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection |
| Previous Message | Pavel Stehule | 2016-09-21 10:30:31 | Re: BUG #14330: can not select into `composite data types` in plpgsql |