Received: from localhost (maia-5.hub.org [200.46.204.182])
	by postgresql.org (Postfix) with ESMTP id 3D9F99FB429
	for <pgsql-docs-postgresql.org@postgresql.org>;
	Fri, 30 Mar 2007 00:45:44 -0300 (ADT)
Received: from postgresql.org ([200.46.204.71])
	by localhost (mx1.hub.org [200.46.204.182]) (amavisd-maia, port 10024)
	with ESMTP id 63935-09 for <pgsql-docs-postgresql.org@postgresql.org>;
	Fri, 30 Mar 2007 00:45:39 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.4
Received: from momjian.us (momjian.us [70.90.9.53])
	by postgresql.org (Postfix) with ESMTP id A31269FB26B
	for <pgsql-docs@postgresql.org>; Fri, 30 Mar 2007 00:45:39 -0300 (ADT)
Received: (from bruce@localhost) by momjian.us (8.11.6/8.11.6) id
 l2U3iwC23191;
	Thu, 29 Mar 2007 23:44:58 -0400 (EDT)
From: Bruce Momjian <bruce@momjian.us>
Message-Id: <200703300344.l2U3iwC23191@momjian.us>
Subject: Re: [ADMIN] no verification of client certificate?
In-Reply-To: <20070326052125.GA6352@winnie.fuhr.org>
To: Michael Fuhr <mike@fuhr.org>
Date: Thu, 29 Mar 2007 23:44:58 -0400 (EDT)
CC: Tom Lane <tgl@sss.pgh.pa.us>, Ray Stell <stellr@cns.vt.edu>,
	PostgreSQL-documentation <pgsql-docs@postgresql.org>
X-Mailer: ELM [version 2.4ME+ PL123]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="ELM1175226298-9342-0_"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Archive-Number: 200703/24
X-Sequence-Number: 4195


--ELM1175226298-9342-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"


I researched this and found that the documentation was wrong because it
said if the client has a 'root.crt', the server must have a 'root.crt',
when in fact on the server a 'server.crt' is required.  Documentation
updated, and mention of libpq SSL section added to server documentation.

The libpq comment verifies this:

    /* Set up to verify server cert, if root.crt is present */

Doc patch attached.  Backpatched to 8.2.X.

---------------------------------------------------------------------------

Michael Fuhr wrote:
> On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> > Well, if it works then why is the OP complaining?
> > 
> > Perhaps there is some non-obvious configuration issue that accounts
> > for the difference between your results and his?
> 
> I don't see in the OP's messages that he's tried the configuration
> I used.  He said he was using the following:
> 
> > > no root.crt in the data dir
> > > no .postgresql/    <--- this is what made me think there was no server verification
> > > server.crt/key in the data dir
> > > pg_hba.conf set to hostssl
> > > PGSSLMODE=required or prefer
> 
> My test configuration looks the same on the server but different
> on the client:
> 
> Server, in $PGDATA
> ==================
> server.key
> server.crt (signed by some CA)
> no root.crt
> 
> Client, in ~/.postgresql
> ========================
> root.crt (for the CA that signed server.crt)
> no postgresql.key or postgresql.crt
> 
> The OP did say that 
> 
> > > When I first looked at the ssl doc, I didn't see any description of
> > > installing the root ca on the client.  This seemed odd.  On my web client,
> > > when I need to verify the server crt, I install the appropriate ca in
> > > the client.
> 
> The "SSL Support" section of the libpq documentation mentions
> installing root.crt on the client:
> 
> http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html
> 
> "If the file ~/.postgresql/root.crt is present in the user's home
> directory, libpq will use the certificate list stored therein to
> verify the server's certificate.  (On Microsoft Windows the file is
> named %APPDATA%\postgresql\root.crt.)  The SSL connection will fail
> if the server does not present a certificate; therefore, to use
> this feature the server must also have a root.crt file."
> 
> The requirement that the server have a root.crt appears to be
> incorrect, at least in the tests I ran.  Unless somebody can justify
> that statement I'll submit a documentation patch to correct it.
> 
> -- 
> Michael Fuhr
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 7: You can help support the PostgreSQL project by donating at
> 
>                 http://www.postgresql.org/about/donate

-- 
  Bruce Momjian  <bruce@momjian.us>          http://momjian.us
  EnterpriseDB                               http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

--ELM1175226298-9342-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/x-diff
Content-Disposition: inline; filename="/rtmp/diff"

Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.234
diff -c -c -r1.234 libpq.sgml
*** doc/src/sgml/libpq.sgml	20 Feb 2007 19:35:17 -0000	1.234
--- doc/src/sgml/libpq.sgml	30 Mar 2007 03:14:01 -0000
***************
*** 4501,4507 ****
     <filename>%APPDATA%\postgresql\root.crt</filename>.)
     The SSL connection will
     fail if the server does not present a certificate; therefore, to
!    use this feature the server must also have a <filename>root.crt</> file.
     Certificate Revocation List (CRL) entries are also checked if the file
     <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename>
     on Microsoft Windows).
--- 4501,4507 ----
     <filename>%APPDATA%\postgresql\root.crt</filename>.)
     The SSL connection will
     fail if the server does not present a certificate; therefore, to
!    use this feature the server must have a <filename>server.crt</> file.
     Certificate Revocation List (CRL) entries are also checked if the file
     <filename>~/.postgresql/root.crl</filename> exists (<filename>%APPDATA%\postgresql\root.crl</filename>
     on Microsoft Windows).
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.380
diff -c -c -r1.380 runtime.sgml
*** doc/src/sgml/runtime.sgml	6 Mar 2007 09:59:22 -0000	1.380
--- doc/src/sgml/runtime.sgml	30 Mar 2007 03:14:04 -0000
***************
*** 1574,1583 ****
     certificates of the <acronym>CA</acronym>(s) you wish to check for in
     the file <filename>root.crt</filename> in the data directory.  When
     present, a client certificate will be requested from the client
!    during SSL connection startup, and it must have been signed by one of the
!    certificates present in <filename>root.crt</filename>.  Certificate 
!    Revocation List (CRL) entries are also checked if the file 
!    <filename>root.crl</filename> exists.
    </para>
  
    <para>
--- 1574,1584 ----
     certificates of the <acronym>CA</acronym>(s) you wish to check for in
     the file <filename>root.crt</filename> in the data directory.  When
     present, a client certificate will be requested from the client
!    during SSL connection startup, and it must have been signed by one of
!    the certificates present in <filename>root.crt</filename>.  (See <xref
!    linkend="libpq-ssl"> for a description of how to set up client
!    certificates.) Certificate Revocation List (CRL) entries are also
!    checked if the file <filename>root.crl</filename> exists.
    </para>
  
    <para>

--ELM1175226298-9342-0_--