| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Aleksander Alekseev <aleksander(at)timescale(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
| Date: | 2023-03-23 22:40:55 |
| Message-ID: | CAAWbhmjoOzcwXvOjhBf7gP1WFirL+JDMnDWT76ocozt_x-UJVQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Mar 21, 2023 at 11:01 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> - # Function introduced in OpenSSL 1.0.2.
> + # Functions introduced in OpenSSL 1.0.2. LibreSSL doesn't have all of these.
> ['X509_get_signature_nid'],
> + ['SSL_CTX_set_cert_cb'],
>
> From what I can see, X509_get_signature_nid() is in LibreSSL, but not
> SSL_CTX_set_cert_cb(). Perhaps that's worth having two different
> comments?
I took a stab at that in v18. I diverged a bit between Meson and
Autoconf, which you may not care for.
> + <para>
> + a certificate may be sent, if the server requests one and it has
> + been provided via <literal>sslcert</literal>
> + </para>
>
> It seems to me that this description is not completely exact. The
> default is to look at ~/.postgresql/postgresql.crt, so sslcert is not
> mandatory. There could be a certificate even without sslcert set.
Reworded.
> + libpq_append_conn_error(conn, "sslcertmode value \"%s\" invalid when SSL support is not compiled in",
> + conn->sslcertmode);
>
> This string could be combined with the same one used for sslmode,
> saving a bit in translation effortm by making the connection parameter
> name a value of the string ("%s value \"%s\" invalid ..").
Done.
> + * figure out if a certficate was actually requested, so "require" is
> s/certficate/certificate/.
Heh, fixed. I need new glasses, clearly.
> contrib/sslinfo/ has ssl_client_cert_present(), that we could use in
> the tests to make sure that the client has actually sent a
> certificate? How about adding some of these tests to 003_sslinfo.pl
> for the "allow" and "require" cases?
Added; see what you think.
> + if (!conn->ssl_cert_requested)
> + {
> + libpq_append_conn_error(conn, "server did not request a certificate");
> + return false;
> + }
> + else if (!conn->ssl_cert_sent)
> + {
> + libpq_append_conn_error(conn, "server accepted connection without a valid certificate");
> + return false;
> + }
> Perhaps useless question: should this say "SSL certificate"?
I have no objection, so done that way.
> freePGconn() is missing a free(sslcertmode).
Argh, I keep forgetting that. Fixed, thanks!
--Jacob
| Attachment | Content-Type | Size |
|---|---|---|
| since-v17.diff.txt | text/plain | 7.8 KB |
| v18-0001-Add-sslcertmode-option-for-client-certificates.patch | text/x-patch | 19.2 KB |
| v18-0002-require_auth-decouple-SASL-and-SCRAM.patch | text/x-patch | 8.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2023-03-23 22:46:14 | Re: pg_stats and range statistics |
| Previous Message | Daniel Gustafsson | 2023-03-23 22:36:22 | Re: Making background psql nicer to use in tap tests |