On Mon, Sep 12, 2011 at 07:37:23PM +0200, Magnus Hagander wrote:
> On Mon, Sep 12, 2011 at 19:21, David Fetter <david@fetter.org> wrote:
> > On Wed, Aug 31, 2011 at 09:59:18AM +0000, Srinivas Aji wrote:
> >>
> >> The following bug has been logged online:
> >>
> >> Bug reference: 6189
> >> Logged by: Srinivas Aji
> >> Email address: srinivas.aji@emc.com
> >> PostgreSQL version: 9.0.4
> >> Operating system: Linux
> >> Description: libpq: sslmode=require verifies server certificate if
> >> root.crt is present
> >> Details:
> >>
> >> >From the documentation of sslmode values in
> >> http://www.postgresql.org/docs/9.0/static/libpq-ssl.html ,
> >> it looks like libpq will not verify the server certificate when the option
> >> sslmode=require is used, and will perform different levels of certificate
> >> verification in the cases sslmode=verify-ca and sslmode=verify-full.
> >>
> >> The observed behaviour is a bit different. If the ~/.postgresql/root.crt
> >> file (or any other filename set through sslrootcert option) is found,
> >> sslmode=require also performs the same level of certificate verification as
> >> verify-ca. The difference between require and verify-ca is that it is an
> >> error for the file to not exist when sslmode is verify-ca.
> >>
> >> Thanks,
> >> Srinivas
> >
> > It looks to me like there could at least in theory be an attack vector
> > or two that we're not covering with this bug. Anybody want to tackle
> > same?
>
> I haven't checked the code yet, but from the report it sounds like
> we're checking *too much* - how could that be an attack vector?
Well, "too much checking," classically, is a source of denial of
service attacks. It's not a super likely source, but it's a source,
and it'd be better to fix it than leave it lie. :)
Cheers,
David.
--
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate