Received: from localhost (maia-5.hub.org [200.46.204.182])
	by postgresql.org (Postfix) with ESMTP id 5189E9FB2A5
	for <pgsql-admin-postgresql.org@postgresql.org>;
	Sun, 25 Mar 2007 23:57:30 -0300 (ADT)
Received: from postgresql.org ([200.46.204.71])
	by localhost (mx1.hub.org [200.46.204.182]) (amavisd-new, port 10024)
	with ESMTP id 37775-08-2 for
	<pgsql-admin-postgresql.org@postgresql.org>;
	Sun, 25 Mar 2007 23:57:20 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.4
Received: from tigger.fuhr.org (tigger.fuhr.org [63.214.45.158])
	by postgresql.org (Postfix) with ESMTP id 7FA189FB302
	for <pgsql-admin@postgresql.org>; Sun, 25 Mar 2007 23:57:26 -0300 (ADT)
Received: from winnie.fuhr.org (winnie.fuhr.org [10.1.0.1])
	by tigger.fuhr.org (8.13.8/8.13.8) with ESMTP id l2Q2vDN0050596
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Sun, 25 Mar 2007 19:57:16 -0700 (MST)
Received: from winnie.fuhr.org (localhost [127.0.0.1])
	by winnie.fuhr.org (8.13.8/8.13.8) with ESMTP id l2Q2vDiZ005786;
	Sun, 25 Mar 2007 20:57:13 -0600 (MDT)
	(envelope-from mfuhr@winnie.fuhr.org)
Received: (from mfuhr@localhost)
	by winnie.fuhr.org (8.13.8/8.13.8/Submit) id l2Q2vDa2005785;
	Sun, 25 Mar 2007 20:57:13 -0600 (MDT) (envelope-from mfuhr)
Date: Sun, 25 Mar 2007 20:57:13 -0600
From: Michael Fuhr <mike@fuhr.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Ray Stell <stellr@cns.vt.edu>, pgsql-admin@postgresql.org
Subject: Re: no verification of client certificate?
Message-ID: <20070326025713.GA5653@winnie.fuhr.org>
References: <20070323181626.GA16092@cns.vt.edu>
	<25532.1174687277@sss.pgh.pa.us>
	<20070324020434.GA18533@cns.vt.edu> <1950.1174874480@sss.pgh.pa.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1950.1174874480@sss.pgh.pa.us>
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Archive-Number: 200703/187
X-Sequence-Number: 25011

On Sun, Mar 25, 2007 at 10:01:20PM -0400, Tom Lane wrote:
> I looked more closely and you are right: if the server does not have
> a root.crt file then it doesn't send its server cert to the client,
> and so there's no way for the client to verify the cert.

Eh?  ssldump shows otherwise here with 8.2.3.  Here's a connection
where the server has server.key and server.crt but no root.crt, and
the client has the root.crt that signed server.crt and nothing else
in ~/.postgresql:

1 1  0.0338 (0.0338)  C>S  Handshake      ClientHello
1 2  0.5179 (0.4841)  S>C  Handshake      ServerHello
1 3  0.5179 (0.0000)  S>C  Handshake      Certificate
1 4  0.5181 (0.0001)  S>C  Handshake      ServerKeyExchange
1 5  0.5181 (0.0000)  S>C  Handshake      ServerHelloDone
1 6  0.6115 (0.0934)  C>S  Handshake      ClientKeyExchange
1 7  0.6115 (0.0000)  C>S  ChangeCipherSpec
1 8  0.6115 (0.0000)  C>S  Handshake
1 9  0.9605 (0.3489)  S>C  ChangeCipherSpec
1 10 0.9605 (0.0000)  S>C  Handshake

The client is now connected with DHE-RSA-AES256-SHA.

Here's a dump with the same server configuration (server.key, server.crt,
no root.crt) but now the client has a different root.crt than the one
that signed server.crt:

1 1  0.0335 (0.0335)  C>S  Handshake      ClientHello
1 2  0.5626 (0.5290)  S>C  Handshake      ServerHello
1 3  0.5626 (0.0000)  S>C  Handshake      Certificate
1 4  0.5628 (0.0001)  S>C  Handshake      ServerKeyExchange
1 5  0.5628 (0.0000)  S>C  Handshake      ServerHelloDone
1 6  0.5644 (0.0016)  C>S  Alert          fatal          unknown_ca

If the client has PGSSLMODE set to "require" then the connection
fails at the client with "psql: SSL error: certificate verify failed"
and the server logs "could not accept SSL connection: tlsv1 alert
unknown ca".

Did you run any tests?  If so, how did you generate the server's
certificate?

-- 
Michael Fuhr