[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-general
Subject: Re: [GENERAL] [HACKERS] Trust intermediate CA for client certificates
From: Bruce Momjian <bruce () momjian ! us>
Date: 2013-11-30 17:10:19
Message-ID: 20131130171019.GA11181 () momjian ! us
[Download RAW message or body]
On Thu, Mar 21, 2013 at 01:42:55PM +0800, Craig Ringer wrote:
> On 03/19/2013 09:46 PM, Stephen Frost wrote:
> > * Craig Ringer (craig@2ndquadrant.com) wrote:
> >> As far as I'm concerned that's the immediate problem fixed. It may be
> >> worth adding a warning on startup if we find non-self-signed certs in
> >> root.crt too, something like 'WARNING: Intermediate certificate found in
> >> root.crt. This does not do what you expect and your configuration may be
> >> insecure; see the Client Certificates chapter in the documentation.'
> >
> > I'm not sure that I follow this logic, unless you're proposing that
> > intermediate CAs only be allowed to be picked up from system-wide
> > configuration? That strikes me as overly constrained as I imagine there
> > are valid configurations today which have intermediate CAs listed, with
> > the intention that they be available for PG to build the chain from a
> > client cert that is presented back up to the root. Now, the client
> > might be able to provide such an intermediate CA cert too (one of the
> > fun things about SSL is that the client can send any 'missing' certs to
> > the server, if it has them available..), but it also might not.
> >
>
> Drat, you're quite right. I've always included the full certificate
> chain in client certs but it's in no way required.
>
> I guess that pretty much means mainaining the status quo and documenting
> it better.
I have developed the attached patch to document this behavior. My goals
were:
* clarify that a cert can match a remote intermediate or root certificate
* clarify that the client cert must match a server root.crt
* clarify that the server cert much match a client root.crt
* clarify that the root certificate does not have to be specified
in the client or server cert as long as the remote end has the chain
to the root
Does it meet these goals? Is it correct?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
["cert.diff" (text/x-diff)]
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
new file mode 100644
index 955f248..ad54564
*** a/doc/src/sgml/libpq.sgml
--- b/doc/src/sgml/libpq.sgml
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 7179,7193 ****
<quote>intermediate</> certificate authority, rather than one that is
directly trusted by the server. To use such a certificate, append the
certificate of the signing authority to the <filename>postgresql.crt</>
! file, then its parent authority's certificate, and so on up to a
! <quote>root</> authority that is trusted by the server. The root
! certificate should be included in every case where
! <filename>postgresql.crt</> contains more than one certificate.
</para>
<para>
! Note that <filename>root.crt</filename> lists the top-level CAs that are
! considered trusted for signing server certificates. In principle it need
not list the CA that signed the client's certificate, though in most cases
that CA would also be trusted for server certificates.
</para>
--- 7179,7193 ----
<quote>intermediate</> certificate authority, rather than one that is
directly trusted by the server. To use such a certificate, append the
certificate of the signing authority to the <filename>postgresql.crt</>
! file, then its parent authority's certificate, and so on up to a certificate
! authority, <quote>root</> or <quote>intermediate</>, that is trusted by
! the server, i.e. appears in the server's <filename>root.crt</filename>
! file.
</para>
<para>
! Note that the client's <filename>~/.postgresql/root.crt</> lists the top-level CAs
! that are considered trusted for signing server certificates. In principle it need
not list the CA that signed the client's certificate, though in most cases
that CA would also be trusted for server certificates.
</para>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index ab51782..fbed06f
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 1986,1995 ****
<quote>intermediate</> certificate authority, rather than one that is
directly trusted by clients. To use such a certificate, append the
certificate of the signing authority to the <filename>server.crt</> file,
! then its parent authority's certificate, and so on up to a <quote>root</>
! authority that is trusted by the clients. The root certificate should
! be included in every case where <filename>server.crt</> contains more than
! one certificate.
</para>
<sect2 id="ssl-client-certificates">
--- 1986,1995 ----
<quote>intermediate</> certificate authority, rather than one that is
directly trusted by clients. To use such a certificate, append the
certificate of the signing authority to the <filename>server.crt</> file,
! then its parent authority's certificate, and so on up to a certificate
! authority, <quote>root</> or <quote>intermediate</>, that is trusted by
! clients, i.e. appears in the clients' <filename>root.crt</filename>
! files.
</para>
<sect2 id="ssl-client-certificates">
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic