public inbox for [email protected]
help / color / mirror / Atom feedFrom: Michael Fuhr <[email protected]>
To: Tom Lane <[email protected]>
Cc: Ray Stell <[email protected]>
Cc: [email protected]
Subject: Re: no verification of client certificate?
Date: Sun, 25 Mar 2007 20:57:13 -0600
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Sun, Mar 25, 2007 at 10:01:20PM -0400, Tom Lane wrote:
> I looked more closely and you are right: if the server does not have
> a root.crt file then it doesn't send its server cert to the client,
> and so there's no way for the client to verify the cert.
Eh? ssldump shows otherwise here with 8.2.3. Here's a connection
where the server has server.key and server.crt but no root.crt, and
the client has the root.crt that signed server.crt and nothing else
in ~/.postgresql:
1 1 0.0338 (0.0338) C>S Handshake ClientHello
1 2 0.5179 (0.4841) S>C Handshake ServerHello
1 3 0.5179 (0.0000) S>C Handshake Certificate
1 4 0.5181 (0.0001) S>C Handshake ServerKeyExchange
1 5 0.5181 (0.0000) S>C Handshake ServerHelloDone
1 6 0.6115 (0.0934) C>S Handshake ClientKeyExchange
1 7 0.6115 (0.0000) C>S ChangeCipherSpec
1 8 0.6115 (0.0000) C>S Handshake
1 9 0.9605 (0.3489) S>C ChangeCipherSpec
1 10 0.9605 (0.0000) S>C Handshake
The client is now connected with DHE-RSA-AES256-SHA.
Here's a dump with the same server configuration (server.key, server.crt,
no root.crt) but now the client has a different root.crt than the one
that signed server.crt:
1 1 0.0335 (0.0335) C>S Handshake ClientHello
1 2 0.5626 (0.5290) S>C Handshake ServerHello
1 3 0.5626 (0.0000) S>C Handshake Certificate
1 4 0.5628 (0.0001) S>C Handshake ServerKeyExchange
1 5 0.5628 (0.0000) S>C Handshake ServerHelloDone
1 6 0.5644 (0.0016) C>S Alert fatal unknown_ca
If the client has PGSSLMODE set to "require" then the connection
fails at the client with "psql: SSL error: certificate verify failed"
and the server logs "could not accept SSL connection: tlsv1 alert
unknown ca".
Did you run any tests? If so, how did you generate the server's
certificate?
--
Michael Fuhr
view thread (14+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: no verification of client certificate?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox