Обсуждение: New SSL code to be removed

Because the new 7.3 SSL code doesn't work (per Peter), and the author is
not responding, I am about to yank out that code.  Peter suggests
ripping out all the new code rather than try to pick around and remove
just the broken parts.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 

Bruce Momjian wrote:
> 
> Because the new 7.3 SSL code doesn't work (per Peter), and the author is
> not responding, I am about to yank out that code.  Peter suggests
> ripping out all the new code rather than try to pick around and remove
> just the broken parts.

Agreed. I allways wondered what SSL DB-connections are good for.


Jan

-- 

#======================================================================#
# It's easier to get forgiveness for being wrong than for being
right. #
# Let's break this rule - forgive
me.                                  #
#==================================================
JanWieck@Yahoo.com #

Jan Wieck wrote:
> Bruce Momjian wrote:
> > 
> > Because the new 7.3 SSL code doesn't work (per Peter), and the author is
> > not responding, I am about to yank out that code.  Peter suggests
> > ripping out all the new code rather than try to pick around and remove
> > just the broken parts.
> 
> Agreed. I allways wondered what SSL DB-connections are good for.

I am not going to rip out SSL, just the changes.  We do have people who
use SSL quite a bit.  Looking at the code, however, I may see an easy
way to allow SSL connections without requiring server certificates.  If
that is doable, I may just make that change and let the rest of the code
stay.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 

Jan Wieck wrote:
> Bruce Momjian wrote:
> > 
> > Because the new 7.3 SSL code doesn't work (per Peter), and the author is
> > not responding, I am about to yank out that code.  Peter suggests
> > ripping out all the new code rather than try to pick around and remove
> > just the broken parts.
> 
> Agreed. I allways wondered what SSL DB-connections are good for.

I am now in email contact with Bear and he is assisting me in disabling
all certificates for 7.3.  The code will be marked as NOT_USED and can
therefore be enables in later relases.  He wants to get back this.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 

Jan Wieck wrote:
> Bruce Momjian wrote:
> >
> > Because the new 7.3 SSL code doesn't work (per Peter), and the author is
> > not responding, I am about to yank out that code.  Peter suggests
> > ripping out all the new code rather than try to pick around and remove
> > just the broken parts.
>
> Agreed. I allways wondered what SSL DB-connections are good for.

OK, I have aplied the following patch to allow SSL to work without
client certificates.  There was some confusion in the code because while
the comments said client certificates were not required, the
infrastructure on the client side was required.  This patch removes the
requirement, and adds a comment so Bear can make adjustments for 7.4.  I
don't think we ever want to _require_ client-side certificates.

I did not remove the code because after quick review I saw that his code
actually filled in areas our pre-7.3 code was missing.  I will have him
review this patch and make any adjustments.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/runtime.sgml,v
retrieving revision 1.139
diff -c -c -r1.139 runtime.sgml
*** doc/src/sgml/runtime.sgml    25 Sep 2002 21:16:10 -0000    1.139
--- doc/src/sgml/runtime.sgml    26 Sep 2002 04:36:08 -0000
***************
*** 2876,2881 ****
--- 2876,2882 ----
     Enter the old passphrase to unlock the existing key. Now do
  <programlisting>
  openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
+ chmod og-rwx cert.pem
  cp cert.pem <replaceable>$PGDATA</replaceable>/server.key
  cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt
  </programlisting>
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/be-secure.c,v
retrieving revision 1.14
diff -c -c -r1.14 be-secure.c
*** src/backend/libpq/be-secure.c    4 Sep 2002 23:31:34 -0000    1.14
--- src/backend/libpq/be-secure.c    26 Sep 2002 04:36:12 -0000
***************
*** 642,650 ****
--- 642,654 ----
      snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
      if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))
      {
+         return 0;
+ #ifdef NOT_USED
+         /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
          postmaster_error("could not read root cert file (%s): %s",
                           fnbuf, SSLerrmessage());
          ExitPostmaster(1);
+ #endif
      }
      SSL_CTX_set_verify(SSL_context,
                      SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.13
diff -c -c -r1.13 fe-secure.c
*** src/interfaces/libpq/fe-secure.c    22 Sep 2002 20:57:21 -0000    1.13
--- src/interfaces/libpq/fe-secure.c    26 Sep 2002 04:36:23 -0000
***************
*** 726,735 ****
--- 726,739 ----
                   pwd->pw_dir);
          if (stat(fnbuf, &buf) == -1)
          {
+             return 0;
+ #ifdef NOT_USED
+             /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
              printfPQExpBuffer(&conn->errorMessage,
                   libpq_gettext("could not read root certificate list (%s): %s\n"),
                                fnbuf, strerror(errno));
              return -1;
+ #endif
          }
          if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0))
          {
***************
*** 789,794 ****
--- 793,800 ----

      /* check the certificate chain of the server */

+ #ifdef NOT_USED
+     /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
      /*
       * this eliminates simple man-in-the-middle attacks and simple
       * impersonations
***************
*** 802,807 ****
--- 808,814 ----
          close_SSL(conn);
          return -1;
      }
+ #endif

      /* pull out server distinguished and common names */
      conn->peer = SSL_get_peer_certificate(conn->ssl);
***************
*** 824,829 ****
--- 831,838 ----

      /* verify that the common name resolves to peer */

+ #ifdef NOT_USED
+     /* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
      /*
       * this is necessary to eliminate man-in-the-middle attacks and
       * impersonations where the attacker somehow learned the server's
***************
*** 834,839 ****
--- 843,849 ----
          close_SSL(conn);
          return -1;
      }
+ #endif

      return 0;
  }