Re: [ADMIN] ssl client cert authentication

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: [ADMIN] ssl client cert authentication
Дата
Msg-id 201101180231.p0I2VmL05969@momjian.us
обсуждение исходный текст
Список pgsql-docs
Ray Stell wrote:
> On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> > Ray Stell <stellr@cns.vt.edu> writes:
> > > Someone asked about ssl client cert auth recently.  I got
> > > this to work, but something tripped me up.
> >
> > > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
> >
> > > states (very clearly, btw) that, "To require the client to supply a
> > > trusted certificate, place certificates of the certificate authorities
> > > (CAs) you trust in the file root.crt in the data directory."  I had
> > > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
> >
> > > This begs the question, why two copies of the same file?
> >
> > The one in ~/.postgresql is for client usage.  The one in $PGDATA is for
> > the server's use.  There's no reason to assume they'd be the same.
> >
> >             regards, tom lane
>
> I think I see where I went off:
>  31.17. SSL Support
> Changing this to:
>  31.17. Client SSL Support
> would be helpful.  Also,
>  31.17.4. SSL File Usage
> might be:
>  31.17.4. SSL Client File Usage
> They did this in the server section, so I'm not completely nuts:
>  17.8.2. SSL Server File Usage
>
> In hindsight it is very clear.  Chapter 17 is on the server and 31 is on the
> client.  Adding those section title words would have helped me stay on
> course.
>
> Another way of providing clue would be to add $PGDATA somewhere in Table
> 17-3. SSL Server File Usage.  They did that sort of thing on the client side
> in Table 31-4. Libpq/Client SSL File Usage.

These are all very good ideas and I have applied them for 9.1 in the
attached patch.  I also found a few libpq titles that needed
capitalization, which is also in the patch. Thanks for the ideas.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index fe661b8..1606a56 100644
*** /tmp/pgdiff.4616/aPwGCb_libpq.sgml    Mon Jan 17 21:29:06 2011
--- doc/src/sgml/libpq.sgml    Mon Jan 17 21:04:29 2011
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6641,6647 ****
    </para>

   <sect2 id="libq-ssl-certificates">
!   <title>Certificate verification</title>

    <para>
     By default, <productname>PostgreSQL</> will not perform any verification of
--- 6641,6647 ----
    </para>

   <sect2 id="libq-ssl-certificates">
!   <title>Client Verification of Server Certificates</title>

    <para>
     By default, <productname>PostgreSQL</> will not perform any verification of
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6696,6702 ****
   </sect2>

   <sect2 id="libpq-ssl-clientcert">
!   <title>Client certificates</title>

    <para>
     If the server requests a trusted client certificate,
--- 6696,6702 ----
   </sect2>

   <sect2 id="libpq-ssl-clientcert">
!   <title>Client Certificates</title>

    <para>
     If the server requests a trusted client certificate,
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6738,6744 ****
   </sect2>

   <sect2 id="libpq-ssl-protection">
!   <title>Protection provided in different modes</title>

    <para>
     The different values for the <literal>sslmode</> parameter provide different
--- 6738,6744 ----
   </sect2>

   <sect2 id="libpq-ssl-protection">
!   <title>Protection Provided in Different Modes</title>

    <para>
     The different values for the <literal>sslmode</> parameter provide different
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6746,6752 ****
     protection against three types of attacks:
    </para>
    <table id="libpq-ssl-protect-attacks">
!    <title>SSL attacks</title>
     <tgroup cols="2">
      <thead>
       <row>
--- 6746,6752 ----
     protection against three types of attacks:
    </para>
    <table id="libpq-ssl-protect-attacks">
!    <title>SSL Attacks</title>
     <tgroup cols="2">
      <thead>
       <row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6821,6827 ****
    </para>

    <table id="libpq-ssl-sslmode-statements">
!    <title>SSL mode descriptions</title>
     <tgroup cols="4">
      <thead>
       <row>
--- 6821,6827 ----
    </para>

    <table id="libpq-ssl-sslmode-statements">
!    <title>SSL Mode Descriptions</title>
     <tgroup cols="4">
      <thead>
       <row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6912,6918 ****
   </sect2>

   <sect2 id="libpq-ssl-fileusage">
!   <title>SSL File Usage</title>
    <table id="libpq-ssl-file-usage">
     <title>Libpq/Client SSL File Usage</title>
     <tgroup cols="3">
--- 6912,6918 ----
   </sect2>

   <sect2 id="libpq-ssl-fileusage">
!   <title>SSL Client File Usage</title>
    <table id="libpq-ssl-file-usage">
     <title>Libpq/Client SSL File Usage</title>
     <tgroup cols="3">
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6958,6964 ****
   </sect2>

   <sect2 id="libpq-ssl-initialize">
!   <title>SSL library initialization</title>

    <para>
     If your application initializes <literal>libssl</> and/or
--- 6958,6964 ----
   </sect2>

   <sect2 id="libpq-ssl-initialize">
!   <title>SSL Library Initialization</title>

    <para>
     If your application initializes <literal>libssl</> and/or
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 8911e99..9b92bec 100644
*** /tmp/pgdiff.4616/QgCZ3a_runtime.sgml    Mon Jan 17 21:29:06 2011
--- doc/src/sgml/runtime.sgml    Mon Jan 17 21:18:42 2011
*************** $ <userinput>kill -INT `head -1 /usr/loc
*** 1770,1796 ****
      <tbody>

       <row>
!       <entry><filename>server.crt</></entry>
        <entry>server certificate</entry>
        <entry>sent to client to indicate server's identity</entry>
       </row>

       <row>
!       <entry><filename>server.key</></entry>
        <entry>server private key</entry>
        <entry>proves server certificate was sent by the owner; does not indicate
        certificate owner is trustworthy</entry>
       </row>

       <row>
!       <entry><filename>root.crt</></entry>
        <entry>trusted certificate authorities</entry>
        <entry>checks that client certificate is
        signed by a trusted certificate authority</entry>
       </row>

       <row>
!       <entry><filename>root.crl</></entry>
        <entry>certificates revoked by certificate authorities</entry>
        <entry>client certificate must not be on this list</entry>
       </row>
--- 1770,1796 ----
      <tbody>

       <row>
!       <entry><filename>$PGDATA/server.crt</></entry>
        <entry>server certificate</entry>
        <entry>sent to client to indicate server's identity</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/server.key</></entry>
        <entry>server private key</entry>
        <entry>proves server certificate was sent by the owner; does not indicate
        certificate owner is trustworthy</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/root.crt</></entry>
        <entry>trusted certificate authorities</entry>
        <entry>checks that client certificate is
        signed by a trusted certificate authority</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/root.crl</></entry>
        <entry>certificates revoked by certificate authorities</entry>
        <entry>client certificate must not be on this list</entry>
       </row>

В списке pgsql-docs по дате отправления:

Предыдущее
От: Chris Meller
Дата:
Сообщение: Documentation Navigation Feedback
Следующее
От: Josh Kupershmidt
Дата:
Сообщение: Re: Problems with 8.3.12 docs?