Обсуждение: ssl client cert authentication

Someone asked about ssl client cert auth recently.  I got
this to work, but something tripped me up.

http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

states (very clearly, btw) that, "To require the client to supply a
trusted certificate, place certificates of the certificate authorities
(CAs) you trust in the file root.crt in the data directory."  I had
ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

This begs the question, why two copies of the same file?

Ray Stell <stellr@cns.vt.edu> writes:
> Someone asked about ssl client cert auth recently.  I got
> this to work, but something tripped me up.

> http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

> states (very clearly, btw) that, "To require the client to supply a
> trusted certificate, place certificates of the certificate authorities
> (CAs) you trust in the file root.crt in the data directory."  I had
> ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

> This begs the question, why two copies of the same file?

The one in ~/.postgresql is for client usage.  The one in $PGDATA is for
the server's use.  There's no reason to assume they'd be the same.

            regards, tom lane

On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> Ray Stell <stellr@cns.vt.edu> writes:
> > Someone asked about ssl client cert auth recently.  I got
> > this to work, but something tripped me up.
>
> > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
>
> > states (very clearly, btw) that, "To require the client to supply a
> > trusted certificate, place certificates of the certificate authorities
> > (CAs) you trust in the file root.crt in the data directory."  I had
> > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
>
> > This begs the question, why two copies of the same file?
>
> The one in ~/.postgresql is for client usage.  The one in $PGDATA is for
> the server's use.  There's no reason to assume they'd be the same.
>
>             regards, tom lane

I think I see where I went off:
 31.17. SSL Support
Changing this to:
 31.17. Client SSL Support
would be helpful.  Also,
 31.17.4. SSL File Usage
might be:
 31.17.4. SSL Client File Usage
They did this in the server section, so I'm not completely nuts:
 17.8.2. SSL Server File Usage

In hindsight it is very clear.  Chapter 17 is on the server and 31 is on the
client.  Adding those section title words would have helped me stay on
course.

Another way of providing clue would be to add $PGDATA somewhere in Table
17-3. SSL Server File Usage.  They did that sort of thing on the client side
in Table 31-4. Libpq/Client SSL File Usage.

Ray Stell wrote:
> On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> > Ray Stell <stellr@cns.vt.edu> writes:
> > > Someone asked about ssl client cert auth recently.  I got
> > > this to work, but something tripped me up.
> >
> > > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
> >
> > > states (very clearly, btw) that, "To require the client to supply a
> > > trusted certificate, place certificates of the certificate authorities
> > > (CAs) you trust in the file root.crt in the data directory."  I had
> > > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
> >
> > > This begs the question, why two copies of the same file?
> >
> > The one in ~/.postgresql is for client usage.  The one in $PGDATA is for
> > the server's use.  There's no reason to assume they'd be the same.
> >
> >             regards, tom lane
>
> I think I see where I went off:
>  31.17. SSL Support
> Changing this to:
>  31.17. Client SSL Support
> would be helpful.  Also,
>  31.17.4. SSL File Usage
> might be:
>  31.17.4. SSL Client File Usage
> They did this in the server section, so I'm not completely nuts:
>  17.8.2. SSL Server File Usage
>
> In hindsight it is very clear.  Chapter 17 is on the server and 31 is on the
> client.  Adding those section title words would have helped me stay on
> course.
>
> Another way of providing clue would be to add $PGDATA somewhere in Table
> 17-3. SSL Server File Usage.  They did that sort of thing on the client side
> in Table 31-4. Libpq/Client SSL File Usage.

These are all very good ideas and I have applied them for 9.1 in the
attached patch.  I also found a few libpq titles that needed
capitalization, which is also in the patch. Thanks for the ideas.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index fe661b8..1606a56 100644
*** /tmp/pgdiff.4616/aPwGCb_libpq.sgml    Mon Jan 17 21:29:06 2011
--- doc/src/sgml/libpq.sgml    Mon Jan 17 21:04:29 2011
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6641,6647 ****
    </para>

   <sect2 id="libq-ssl-certificates">
!   <title>Certificate verification</title>

    <para>
     By default, <productname>PostgreSQL</> will not perform any verification of
--- 6641,6647 ----
    </para>

   <sect2 id="libq-ssl-certificates">
!   <title>Client Verification of Server Certificates</title>

    <para>
     By default, <productname>PostgreSQL</> will not perform any verification of
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6696,6702 ****
   </sect2>

   <sect2 id="libpq-ssl-clientcert">
!   <title>Client certificates</title>

    <para>
     If the server requests a trusted client certificate,
--- 6696,6702 ----
   </sect2>

   <sect2 id="libpq-ssl-clientcert">
!   <title>Client Certificates</title>

    <para>
     If the server requests a trusted client certificate,
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6738,6744 ****
   </sect2>

   <sect2 id="libpq-ssl-protection">
!   <title>Protection provided in different modes</title>

    <para>
     The different values for the <literal>sslmode</> parameter provide different
--- 6738,6744 ----
   </sect2>

   <sect2 id="libpq-ssl-protection">
!   <title>Protection Provided in Different Modes</title>

    <para>
     The different values for the <literal>sslmode</> parameter provide different
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6746,6752 ****
     protection against three types of attacks:
    </para>
    <table id="libpq-ssl-protect-attacks">
!    <title>SSL attacks</title>
     <tgroup cols="2">
      <thead>
       <row>
--- 6746,6752 ----
     protection against three types of attacks:
    </para>
    <table id="libpq-ssl-protect-attacks">
!    <title>SSL Attacks</title>
     <tgroup cols="2">
      <thead>
       <row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6821,6827 ****
    </para>

    <table id="libpq-ssl-sslmode-statements">
!    <title>SSL mode descriptions</title>
     <tgroup cols="4">
      <thead>
       <row>
--- 6821,6827 ----
    </para>

    <table id="libpq-ssl-sslmode-statements">
!    <title>SSL Mode Descriptions</title>
     <tgroup cols="4">
      <thead>
       <row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6912,6918 ****
   </sect2>

   <sect2 id="libpq-ssl-fileusage">
!   <title>SSL File Usage</title>
    <table id="libpq-ssl-file-usage">
     <title>Libpq/Client SSL File Usage</title>
     <tgroup cols="3">
--- 6912,6918 ----
   </sect2>

   <sect2 id="libpq-ssl-fileusage">
!   <title>SSL Client File Usage</title>
    <table id="libpq-ssl-file-usage">
     <title>Libpq/Client SSL File Usage</title>
     <tgroup cols="3">
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6958,6964 ****
   </sect2>

   <sect2 id="libpq-ssl-initialize">
!   <title>SSL library initialization</title>

    <para>
     If your application initializes <literal>libssl</> and/or
--- 6958,6964 ----
   </sect2>

   <sect2 id="libpq-ssl-initialize">
!   <title>SSL Library Initialization</title>

    <para>
     If your application initializes <literal>libssl</> and/or
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 8911e99..9b92bec 100644
*** /tmp/pgdiff.4616/QgCZ3a_runtime.sgml    Mon Jan 17 21:29:06 2011
--- doc/src/sgml/runtime.sgml    Mon Jan 17 21:18:42 2011
*************** $ <userinput>kill -INT `head -1 /usr/loc
*** 1770,1796 ****
      <tbody>

       <row>
!       <entry><filename>server.crt</></entry>
        <entry>server certificate</entry>
        <entry>sent to client to indicate server's identity</entry>
       </row>

       <row>
!       <entry><filename>server.key</></entry>
        <entry>server private key</entry>
        <entry>proves server certificate was sent by the owner; does not indicate
        certificate owner is trustworthy</entry>
       </row>

       <row>
!       <entry><filename>root.crt</></entry>
        <entry>trusted certificate authorities</entry>
        <entry>checks that client certificate is
        signed by a trusted certificate authority</entry>
       </row>

       <row>
!       <entry><filename>root.crl</></entry>
        <entry>certificates revoked by certificate authorities</entry>
        <entry>client certificate must not be on this list</entry>
       </row>
--- 1770,1796 ----
      <tbody>

       <row>
!       <entry><filename>$PGDATA/server.crt</></entry>
        <entry>server certificate</entry>
        <entry>sent to client to indicate server's identity</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/server.key</></entry>
        <entry>server private key</entry>
        <entry>proves server certificate was sent by the owner; does not indicate
        certificate owner is trustworthy</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/root.crt</></entry>
        <entry>trusted certificate authorities</entry>
        <entry>checks that client certificate is
        signed by a trusted certificate authority</entry>
       </row>

       <row>
!       <entry><filename>$PGDATA/root.crl</></entry>
        <entry>certificates revoked by certificate authorities</entry>
        <entry>client certificate must not be on this list</entry>
       </row>