Date: Tue, 16 Jan 2018 22:23:44 -0500
From: Bruce Momjian <bruce@momjian.us>
To: Michael Paquier <michael.paquier@gmail.com>
Cc: PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	Stephen Frost <sfrost@snowman.net>,
	David Steele <david@pgmasters.net>
Subject: Re: Correction of intermediate certificate handling
Message-ID: <20180117032344.GA26285@momjian.us>
References: <20180116002238.GC12724@momjian.us>
 <20180116053305.GB2212@paquier.xyz>
 <20180116162122.GB1470@momjian.us>
 <20180117000950.GB935@paquier.xyz>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="envbJBWh7q8WU6mo"
Content-Disposition: inline
In-Reply-To: <20180117000950.GB935@paquier.xyz>
User-Agent: Mutt/1.5.23 (2014-03-12)
Precedence: bulk


--envbJBWh7q8WU6mo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > > This bit is important. I am happy that your patch mentions that
> > > intermediate certificates avoid the need to store root ones on the
> > > client. Should the docs mention terms like "chain of trust"?
> > 
> > I think the question is how much do we want to "teach" people in our
> > docs.  We do oddly but wisely link from our docs to HP OpenVMS docs
> > about how the chain of trust works:
> > 
> > 	http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
> > 
> > I will write up a paragraph about the concepts for our docs for the
> > group's review.
> 
> As a separate patch, I think that it would be fine as well.

I ended up merging the "chain of trust" changes into the "intermediate"
patch since they affect adjacent sections of the docs.  You can see this
as the first attached patch.

> > > Perhaps the docs could also include an example of command to create a
> > > root and an intermediate certificate in runtime.sgml or such?
> > 
> > Yes, I have thought about that.  My presentation has clear examples that
> > we can use, again based on Stephen and David's scripts using v3_ca.  I
> > will work up a possible patch for that too.
> 
> That too.

I did that as a separate patch, which is the second attachment.

> > > On top of that, src/test/ssl does not provide any kind of coverage for
> > > that. It would be an area of improvement for those tests.
> > 
> > Wow, I have no idea how to do that.  Let me look.  Seems I have more
> > work to do.
> 
> You would need to update src/test/ssl/Makefile to generate those
> intermediate CAs, and then make ServerSetup::switch_server_cert smarter
> in the way the series of certificates are handled. A suggestion I have
> would be to create each certificate file separately and change the
> routine so as it uses an array in input, the order of the items defining
> what's the order the the data. For the client there is sslrootcert, so I
> guess that a small routine able to take a set of certs and append them
> to a single file would make it as well (switch_server_cert should use
> it).

I don't think I will work on the testing changes.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

--envbJBWh7q8WU6mo
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="crt.diff"

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
new file mode 100644
index 4e46451..ec85132
*** a/doc/src/sgml/libpq.sgml
--- b/doc/src/sgml/libpq.sgml
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 7574,7590 ****
     the server certificate. This means that it is possible to spoof the server
     identity (for example by modifying a DNS record or by taking over the server
     IP address) without the client knowing. In order to prevent spoofing,
!    <acronym>SSL</acronym> certificate verification must be used.
    </para>
  
    <para>
     If the parameter <literal>sslmode</literal> is set to <literal>verify-ca</literal>,
     libpq will verify that the server is trustworthy by checking the
!    certificate chain up to a trusted certificate authority
!    (<acronym>CA</acronym>). If <literal>sslmode</literal> is set to <literal>verify-full</literal>,
!    libpq will <emphasis>also</emphasis> verify that the server host name matches its
!    certificate. The SSL connection will fail if the server certificate cannot
!    be verified. <literal>verify-full</literal> is recommended in most
     security-sensitive environments.
    </para>
  
--- 7574,7610 ----
     the server certificate. This means that it is possible to spoof the server
     identity (for example by modifying a DNS record or by taking over the server
     IP address) without the client knowing. In order to prevent spoofing,
!    the client must be able to verify the server's identity via a chain of
!    trust.  A chain of trust is established by placing a root (self-signed)
!    certificate authority (<acronym>CA</acronym>) certificate on one
!    computer and a leaf certificate <emphasis>signed</emphasis> by the
!    root certificate on another computer.  It is also possible to use an
!    <quote>intermediate</quote> certificate which is signed by the root
!    certificate and signs leaf certificates.
!   </para>
! 
!   <para>
!    To allow the client to verify the identity of the server, place a root
!    certificate on the client and a leaf certificate signed by the root
!    certificate on the server.  To allow the server to verify the identity
!    of the client, place a root certificate on the server and a leaf and
!    optional intermediate certificates signed by the root certificate on
!    the client.  Intermediate certificates (usually stored with the leaf
!    certificate) can also be used to link the leaf certificate to the
!    root certificate.
    </para>
  
    <para>
+    Once a chain of trust has been established, there are two ways for
+    the client to validate the leaf certificate sent by the server.
     If the parameter <literal>sslmode</literal> is set to <literal>verify-ca</literal>,
     libpq will verify that the server is trustworthy by checking the
!    certificate chain up to the root certificate stored on the client.
!    If <literal>sslmode</literal> is set to <literal>verify-full</literal>,
!    libpq will <emphasis>also</emphasis> verify that the server host
!    name matches the name stored in the server certificate. The
!    SSL connection will fail if the server certificate cannot be
!    verified. <literal>verify-full</literal> is recommended in most
     security-sensitive environments.
    </para>
  
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 7601,7613 ****
    </para>
  
    <para>
!    To allow server certificate verification, the certificate(s) of one or more
!    trusted <acronym>CA</acronym>s must be
!    placed in the file <filename>~/.postgresql/root.crt</filename> in the user's home
!    directory. If intermediate <acronym>CA</acronym>s appear in
!    <filename>root.crt</filename>, the file must also contain certificate
!    chains to their root <acronym>CA</acronym>s. (On Microsoft Windows the file is named
!    <filename>%APPDATA%\postgresql\root.crt</filename>.)
    </para>
  
    <para>
--- 7621,7633 ----
    </para>
  
    <para>
!    To allow server certificate verification, one or more root certificates
!    must be placed in the file <filename>~/.postgresql/root.crt</filename>
!    in the user's home directory.  (On Microsoft Windows the file is named
!    <filename>%APPDATA%\postgresql\root.crt</filename>.)  Intermediate
!    certificates should also be added to the file if they are needed to link
!    the certificate chain sent by the server to the root certificates
!    stored on the client.
    </para>
  
    <para>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 7641,7651 ****
    <title>Client Certificates</title>
  
    <para>
!    If the server requests a trusted client certificate,
!    <application>libpq</application> will send the certificate stored in
     file <filename>~/.postgresql/postgresql.crt</filename> in the user's home
!    directory.  The certificate must be signed by one of the certificate
!    authorities (<acronym>CA</acronym>) trusted by the server.  A matching
     private key file <filename>~/.postgresql/postgresql.key</filename> must also
     be present. The private
     key file must not allow any access to world or group; achieve this by the
--- 7661,7672 ----
    <title>Client Certificates</title>
  
    <para>
!    If the server attempts to verify the identity of the
!    client by requesting the client's leaf certificate,
!    <application>libpq</application> will send the certificates stored in
     file <filename>~/.postgresql/postgresql.crt</filename> in the user's home
!    directory.  The certificates must chain to the root certificate trusted
!    by the server.  A matching
     private key file <filename>~/.postgresql/postgresql.key</filename> must also
     be present. The private
     key file must not allow any access to world or group; achieve this by the
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 7660,7682 ****
    </para>
  
    <para>
!    In some cases, the client certificate might be signed by an
!    <quote>intermediate</quote> certificate authority, rather than one that is
!    directly trusted by the server.  To use such a certificate, append the
!    certificate of the signing authority to the <filename>postgresql.crt</filename>
!    file, then its parent authority's certificate, and so on up to a certificate
!    authority, <quote>root</quote> or <quote>intermediate</quote>, that is trusted by
!    the server, i.e. signed by a certificate in the server's root CA file
!    (<xref linkend="guc-ssl-ca-file"/>).
!   </para>
! 
!   <para>
!    Note that the client's <filename>~/.postgresql/root.crt</filename> lists the top-level CAs
!    that are considered trusted for signing server certificates.  In principle it need
!    not list the CA that signed the client's certificate, though in most cases
!    that CA would also be trusted for server certificates.
    </para>
- 
   </sect2>
  
   <sect2 id="libpq-ssl-protection">
--- 7681,7692 ----
    </para>
  
    <para>
!    The first certificate in <filename>postgresql.crt</filename> must be the
!    client's certificate because it must match the client's private key.
!    <quote>Intermediate</quote> certificates can be optionally appended
!    to the file &mdash; doing so avoids requiring storage of intermediate
!    certificates on the server (<xref linkend="guc-ssl-ca-file"/>).
    </para>
   </sect2>
  
   <sect2 id="libpq-ssl-protection">
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index a2ebd3e..6352d53
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 2247,2286 ****
    </para>
  
    <para>
!    In some cases, the server certificate might be signed by an
!    <quote>intermediate</quote> certificate authority, rather than one that is
!    directly trusted by clients.  To use such a certificate, append the
!    certificate of the signing authority to the <filename>server.crt</filename> file,
!    then its parent authority's certificate, and so on up to a certificate
!    authority, <quote>root</quote> or <quote>intermediate</quote>, that is trusted by
!    clients, i.e. signed by a certificate in the clients'
!    <filename>root.crt</filename> files.
    </para>
  
    <sect2 id="ssl-client-certificates">
     <title>Using Client Certificates</title>
  
    <para>
!    To require the client to supply a trusted certificate, place
!    certificates of the certificate authorities (<acronym>CA</acronym>s)
!    you trust in a file named <filename>root.crt</filename> in the data
     directory, set the parameter <xref linkend="guc-ssl-ca-file"/> in
!    <filename>postgresql.conf</filename> to <literal>root.crt</literal>,
!    and add the authentication option <literal>clientcert=1</literal> to the
!    appropriate <literal>hostssl</literal> line(s) in <filename>pg_hba.conf</filename>.
!    A certificate will then be requested from the client during
!    SSL connection startup.  (See <xref linkend="libpq-ssl"/> for a
!    description of how to set up certificates on the client.)  The server will
     verify that the client's certificate is signed by one of the trusted
     certificate authorities.
    </para>
  
    <para>
!    If intermediate <acronym>CA</acronym>s appear in
!    <filename>root.crt</filename>, the file must also contain certificate
!    chains to their root <acronym>CA</acronym>s.  Certificate Revocation List
!    (CRL) entries
!    are also checked if the parameter <xref linkend="guc-ssl-crl-file"/> is set.
     <!-- If this URL changes replace it with a URL to www.archive.org. -->
     (See <ulink
     url="http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s02.html"></ulink>
--- 2247,2292 ----
    </para>
  
    <para>
!    The first certificate in <filename>server.crt</filename> must be the
!    server's certificate because it must match the server's private key.
!    The certificates of <quote>intermediate</quote> certificate authorities
!    can also be appended to the file.  Doing this avoids the necessity of
!    storing intermediate certificates on clients, assuming the root and
!    intermediate certificates were created with <literal>v3_ca</literal>
!    extensions.  This allows easier expiration of intermediate certificates.
!   </para>
! 
!   <para>
!    It is not necessary to add the root certificate to
!    <filename>server.crt</filename>.  Instead, clients must have the root
!    certificate of the server's certificate chain.
    </para>
  
    <sect2 id="ssl-client-certificates">
     <title>Using Client Certificates</title>
  
    <para>
!    To require the client to supply a trusted certificate,
!    place certificates of the root certificate authorities
!    (<acronym>CA</acronym>s) you trust in a file in the data
     directory, set the parameter <xref linkend="guc-ssl-ca-file"/> in
!    <filename>postgresql.conf</filename> to the new file name, and add the
!    authentication option <literal>clientcert=1</literal> to the appropriate
!    <literal>hostssl</literal> line(s) in <filename>pg_hba.conf</filename>.
!    A certificate will then be requested from the client during SSL
!    connection startup.  (See <xref linkend="libpq-ssl"/> for a description
!    of how to set up certificates on the client.)  The server will
     verify that the client's certificate is signed by one of the trusted
     certificate authorities.
    </para>
  
    <para>
!    Intermediate certificates that chain up to existing root certificates
!    can also appear in the <xref linkend="guc-ssl-ca-file"/> file if
!    you wish to avoid storing them on clients (assuming the root and
!    intermediate certificates were created with <literal>v3_ca</literal>
!    extensions).  Certificate Revocation List (CRL) entries are also
!    checked if the parameter <xref linkend="guc-ssl-crl-file"/> is set.
     <!-- If this URL changes replace it with a URL to www.archive.org. -->
     (See <ulink
     url="http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s02.html"></ulink>
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 2297,2310 ****
    </para>
  
    <para>
-    Note that the server's <filename>root.crt</filename> lists the top-level
-    CAs that are considered trusted for signing client certificates.
-    In principle it need
-    not list the CA that signed the server's certificate, though in most cases
-    that CA would also be trusted for client certificates.
-   </para>
- 
-   <para>
     If you are setting up client certificates, you may wish to use
     the <literal>cert</literal> authentication method, so that the certificates
     control user authentication as well as providing connection security.
--- 2303,2308 ----

--envbJBWh7q8WU6mo
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="openssl.diff"

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index a2ebd3e..dca113b
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 2385,2394 ****
    </sect2>
  
    <sect2 id="ssl-certificate-creation">
!    <title>Creating a Self-signed Certificate</title>
  
     <para>
!      To create a quick self-signed certificate for the server, valid for 365
       days, use the following <productname>OpenSSL</productname> command,
       replacing <replaceable>yourdomain.com</replaceable> with the server's host name:
  <programlisting>
--- 2385,2394 ----
    </sect2>
  
    <sect2 id="ssl-certificate-creation">
!    <title>Creating Certificates</title>
  
     <para>
!      To create a simple self-signed certificate for the server, valid for 365
       days, use the following <productname>OpenSSL</productname> command,
       replacing <replaceable>yourdomain.com</replaceable> with the server's host name:
  <programlisting>
*************** chmod og-rwx server.key
*** 2406,2419 ****
     </para>
  
     <para>
!     A self-signed certificate can be used for testing, but a certificate
!     signed by a certificate authority (<acronym>CA</acronym>) (either one of the
!     global <acronym>CAs</acronym> or a local one) should be used in production
!     so that clients can verify the server's identity. If all the clients
!     are local to the organization, using a local <acronym>CA</acronym> is
!     recommended.
     </para>
  
    </sect2>
  
   </sect1>
--- 2406,2476 ----
     </para>
  
     <para>
!     While a self-signed certificate can be used for testing, a certificate
!     signed by a certificate authority (<acronym>CA</acronym>) (usually an
!     enterprise-wide root <acronym>CAs</acronym>) should be used in production.
     </para>
  
+    <para>
+     To create a server certificate whose identity can be validated
+     by clients, first create a public/private key pair and certificate
+     signing request (<acronym>CSR</acronym>):
+ <programlisting>
+ openssl req -new -nodes -text -out root.csr \
+   -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
+ chmod og-rwx root.key
+ </programlisting>
+     Then, sign the request with the the private key to create a root
+ certificate authority:
+ <programlisting>
+ openssl x509 -req -in root.csr -text -days 365 \
+   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+   -signkey root.key -out root.crt
+ </programlisting>
+     Finally, create a server certificate signed by the new root certificate
+     authority:
+ <programlisting>
+ openssl req -new -nodes -text -out server.csr \
+   -keyout server.key -subj "/CN=<replaceable>dbhost.yourdomain.com</replaceable>"
+ chmod og-rwx server.key
+ 
+ openssl x509 -req -in server.csr -text -days 365 \
+   -CA root.crt -CAkey root.key -CAcreateserial \
+   -out server.crt
+ </programlisting>
+     <filename>server.crt</filename> and <filename>server.key</filename>
+     should be stored on the server, and <filename>root.crt</filename> should
+     be stored on the client so the client can verify that the server's leaf
+     certificate was signed by its trusted root certificate.
+    </para>
+ 
+    <para>
+     It is also possible to create a chain of trust that includes
+     intermediate certificates:
+ <programlisting>
+ openssl req -new -nodes -text -out root.csr \
+   -keyout root.key -subj "/CN=<replaceable>root.yourdomain.com</replaceable>"
+ chmod og-rwx root.key
+ openssl x509 -req -in root.csr -text -days 365 \
+   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+   -signkey root.key -out root.crt
+ 
+ openssl req -new -nodes -text -out intermediate.csr \
+   -keyout intermediate.key -subj "/CN=<replaceable>intermediate.yourdomain.com</replaceable>"
+ chmod og-rwx intermediate.key
+ openssl x509 -req -in intermediate.csr -text -days 365 \
+   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
+   -CA root.crt -CAkey root.key -CAcreateserial \
+   -out intermediate.crt
+ 
+ openssl req -new -nodes -text -out server.csr \
+   -keyout server.key -subj "/CN=<replaceable>dbhost.yourdomain.com</replaceable>"
+ chmod og-rwx server.key
+ openssl x509 -req -in server.csr -text -days 365 \
+   -CA intermediate.crt -CAkey intermediate.key -CAcreateserial \
+   -out server.crt
+ </programlisting>
+    </para>
    </sect2>
  
   </sect1>

--envbJBWh7q8WU6mo--