Search Postgresql Archives

Re: Trust intermediate CA for client certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/07/2013 12:42 PM, Ray Stell wrote:
> What Tom said works for me.  Here is a page that gives an example and I think it demonstrates that the root CA does not allow everybody in the gate, the chain has to be in place:
>  http://stackoverflow.com/questions/1456034/trouble-understanding-ssl-certificate-chain-verification

That page doesn't even mention PostgreSQL.

> You can use the "openssl verify" command to test that the root is not wide open on it's own.

The issue is the behavior of the PostgreSQL server.  "openssl verify" is
germane only in that it points to the source of the problem -- OpenSSL's
insistence on ultimately validating all certificates against a self-
signed root CA.  This requires that the root CA certificate be present
in root.crt, which causes the server to accept connections from all
clients that can present a certificate chain leading to that root CA.

If you don't believe me, test with the attached files, which implement
the following hierarchy.

                    +---------+
                    | Root CA |
                    +---------+
                        /\
                       /  \
                      /    \
                     /      \
                    /        \
                   /          \
                  /            \
                 /              \
          +-----------+    +-----------+
          | Server CA |    | Client CA |
          +-----------+    +-----------+
                /\                \
               /  \                \
              /    \                \
             /      \                \
            /        \                \
           /          \                \
          /            \                \
         /              \                \
  +----------+      +--------+       +--------+
  | postgres |      | "Bad"  |       | "Good" |
  | (server) |      | client |       | client |
  +----------+      +--------+       +--------+

The goal is to configure the server such that the "good" client will
be allowed to connect (because its certificate is signed by the Client
CA), but the "bad" client will not be allowed to connect (because its
certificate is not signed by the Client CA).

You will find the following:

1. You cannot simply use client-ca,crt as $PGDATA/root.crt.  OpenSSL
   will not validate a client certificate without access to the root CA
   certificate.

2. To enable client connections, you must add the root CA certificate
   to $PGDATA/root.crt -- "cat client-ca.crt root-ca.crt > root.crt".

3. Once the root CA certificate is trusted, however, the "bad" client
   can also connect by using a certificate chain that includes the
   Server CA certificate --"cat bad-client.crt server-ca.crt >
   ~/.postgresql/postgresql.crt".

After looking at be-secure.c and investigating the way that OpenSSL
validates certificates, I do not believe that there is any way of
achieving the desired behavior with the current codebase.

Adding pgsql-hackers to see if there is any interest in a patch to add
this functionality.

-- 
========================================================================
Ian Pilcher                                         arequipeno@xxxxxxxxx
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================

Attachment: root-ca.crt
Description: application/pkix-cert

Attachment: server-ca.crt
Description: application/pkix-cert

Attachment: client-ca.crt
Description: application/pkix-cert

Attachment: bad-client.crt
Description: application/pkix-cert

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5rerLO8F7DxFxuOXFmJT/YDQDmQtaMPxMQs1fufUiFIqgCyA
oBMCTghSQJPpm5dPP4385ZKBys2noqIMz2zr3JFQaTU8mO5wAHBuMjCPKbzqap/o
YAQTejaDYW/vh9Kz3wWLgabcaQl0xl9ZFjBUAV9sEh9P3drG58k+f5Glnf6OgDSK
P4SBZm6nT2tP4XL7T1NFHtqUMQn6TLkpLYGUxg3zgb4j69la6ItPjVEKuMkAW5zl
biLDYc5uuqtNUJHGeRmd03rWeMwamJClH7bUwEuuq7e4wn5mufzZR63uYrNgrG+h
1k/ar+7roc02icQh2rPdU4nxIJrs+c4l4HdwFQIDAQABAoIBAHO/a3pEhFUrO9p3
LcKGHBsPN9IwgfOQcf2n4PPE/QRTLI1XRkSIpNxfIlzRmB59/70jz9+g68rB+DsI
T6L0wzPKF2xg0ADthnVB8pbtc7V92KEbjmo1QUxL8we8L5CVrbXSw1WNUADGRLaM
+VW/czWpGL/Sw6/K5YU9mkRH3q3vJqZbSYyPxO42mZUJcH1wk/vIfYtzcR9tMPkW
Ln9zHZvDT9uBTTzWrPqr+R8QPsdW01AW2+D4OrQF5XB09N5fNGB9oUIxFdr3p+Lw
XeqMjNEafGtzYLHITMrIb0btvXJ8VdAUgT4Rm5QU0aATwP5iC0cCxCnefN0Q1qKO
MiU1OvUCgYEA/L1EZiT7yqa/+UEm9z2w7m//FOSzS+1tV6HazHhIr9xQ9C3AK5W5
s2YARG+k1WIvgLBpF2Bp4SAvMIBFSY0TpD+f3wek/lhO1OrrETXtZkdhFTi90qox
65wgybPkITXXLJoYNpmUKgTy7GosoSI8E4VO+inusj+fsyk+7RkiddcCgYEA6bGr
PgpYHehCblY/4XVaKB76C73pDRUyQh4KLYrcZwEq1tV5XdfRW8WHDP349xdpFli1
ABSuoc0DKqarVQBjLhnJNmJ8g3/FnzrMqk6JIYBbinYZmFFs888H92IK5/ctMT32
9D7GOD4JrfBRqbOn91c5Nq/ne015vLREGIZ+c/MCgYAr2f8DJgmWCMaoTbigD1Ei
ncYJbwD4/JILMWcQMRKTiMt3AnUkWs8kpF8JgMF90JJjZrhlOPJGAFqPtMHQ2Cx/
RBbOELp88v+Ci9wLWWr+YwYiM30kDymoMqext4euh3P1JitrVcxSWhd4E5f4wULh
NDEW0K28ubNQ16g2ZTUIcwKBgQCOs3pA2SozoQcnvy0k7HcQNtIzZ1UvMvlMnHFU
nA24LGNPam3BGy9xna25BkEICViXV7W3BeoZTUoYuku3DRSDKyXOOteTqOsxL0OY
33onZe0AINvCQj6IpqxTqJ/GRA5pmk/5l3eNEnzwpOYI/Xact7ttJH7ysT2cOGu4
mjAPdwKBgQCd+J/eAVYLbWq81xva/GjKJm+a6tSepp6efbMP8VlaLsaDA9lD6nXA
Fu/tHeF9gREGLqbTEaq3QnYjpYnTk+YeVu5OYXGQROYh1IFcva1z8rz/kMdrCghH
xfrLP++24bMQurolq4eFMIKj/pjTI/FQgUDhMy9RgFNs2zYQN0Z03A==
-----END RSA PRIVATE KEY-----

Attachment: good-client.crt
Description: application/pkix-cert

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA7owsniTLdz2gs/wVM8iV4kUjpvsukFJYsBVH9aqKNcTOHGzh
/ZNRefnOzdMRzonu5TxP/uNK0Gejh2HkHkrIQeGU4aR8Kb7tJ3vDLp1OXutNXypg
7yZyRUfpvjbZknwoW2CqOgHpiin+U1LgePKcY2PVKdhr5SDXnfuZ2aK52pgp3N1y
Sl5e8qDcrmloRcR+nVOmhagGEN3pBMqnY6DVsIPDOabHPg80dGi9SUF8rMZGTmxD
Etka4qEQPPY58OzRL6y5Yg/6Wrz+GXWOW4/DmBo1b8+8SKQaDl1hEUElffzUvBlV
AjlSaI7lZbmEfo0uZBmhqTLzHA4lCiyxpB1XnQIDAQABAoIBAHCBYeWwGtoBEdLx
OBq1JqOR0i/F1X8xpyxczRR7OzYCvObBH5CVs16gx71hJ8vOWAJ7gIsJLda+mmyW
aZ0zzeDsgGgvSHPz3Su6/iH1BOpVdadFeHQyIMC2GvKgMdsZfXsjSwWSs097YLxx
oPbKDaH+iqFytehZpfeXm0b+rUL/idIrSpzaDNTgS1gW1CvwcxIF73ssCAwtp8N+
uq2quTRv+WNHopgduKiuW3/aGylf0VtjKPnlAt7J8wWCUdGoeeiZYssdFwyf6NM8
4MFGR/C4PmVAscTeM9LgFxr6seyFjjqHqaQN8+YySM1Owx/gJjqQ18QlXmHIubqS
YZAT6a0CgYEA++6wocRDniRMXRgiq4b1/nudQiK1gm012IklTswOF5n9seSFFTbV
OWXM5dpFn5K4k05d2mrrGz7FDfpUb7W4e/gtzKDEAvai1HqD+EU4JmfMXvPMlB85
HgryGXtzPQBwyYKcEG6US1PB3HBsHEOTgaK9XGvqoShB00z/fbLpIxcCgYEA8mYp
MmucqjQ4BZFfKOxjQH6IdDJZsbqeImFFTVufPeAdgy4UfG9d0gXYiqVYJ3LdmO8S
uI484+MyPPygYzT7XspjvSKyzqs/h2jHh0bxZCGiaqCPzLx6458BFUkk8LAsWfCH
4E3pDzrZQGMjemnG2FKus8SOtSppRj2V7JXx22sCgYEAkVud1Cg+b184JDqJvngH
NQazrHYETjWe7MnsmbNIqjtyUhKs6pmRmyVufGxc4X4xOuTrZ9tqvXSRE8iMsUuj
HvwJyNg1YBRXzMrHnBasGBSpqVt3fTsqpHfiSeudiOPZL5tJWn3C2FeCMiM3bXNc
B18TbODjJorot/bkLu1scI8CgYEAgqe4WvoQNtnwvGeQMGHCWdgaOu+M0zSw2f0u
OrVBDzwHDFdBKZVpr7QA9TKMYq8SbMWohJv+jCNBSAgvd2nueDiFLERQtv8tPhKn
Qe5mXL+YaPrkp8mMP7bMAaosZCPBtDTnOGsmTVQ+F+uYCvqK+L0Qd8th1Jropbi6
YAyukcMCgYEAq3YthfBQJmPCwATW2BhuR4Deha4yW5/Dl6n3CYbzfiv9/bKoulB+
yZDzLETGWmUXHOm9X2sDNzaWA2/kIK1We4jxQ0GHGZJxAqQb0+q6cxN8X0+Z+PAB
hrqJnURYqI15ac1iB/Uvl7n3uhdafTux7gO4MW46QUkrkd4zCdR4/8s=
-----END RSA PRIVATE KEY-----

Attachment: postgres.crt
Description: application/pkix-cert

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5zgGWPN0uBzRj49LKchXUjMsMd1yMxHSZLFonERF/8ySP5jM
gEs7X65+lEK3oz5YZ+nnn+PEgpeBrqzCyZLjy++/KqJA8vCmRG5OOdqYfXw07Vmi
pgiHlUCyBobS8tOIZ1eKQT0gYgWv8meeKNKDNghVycGck+FvvHTS1L7iHslAIkYl
XbHPMRSc+VdpCqAQ9D/odviR03tWqb/TVro5zcxsHbrDmcaQ2RKv0vri2VAvWzCV
8//Kuf/hdCVOafHRSpm4BqQYxJ8mJUu82jnvjMKCyxw3SOpFUrzcFI6UXnI0XUdH
WoEGGkfQiRYB4utxAVBanBihmO313NM+tYtyeQIDAQABAoIBAQDgpHz+RSK8kjtE
SEsVgDDeixtAI0+FsKYB8J+bW3XK7j2VDmZ5qx43evg+IYf7UWJhK08/9/H/kyWK
yQzC/TTW+cp4qIWDwy03RRg5e1k2acueYrz0pUrdRqrwTmN7Suu2w8VuVu40biQg
1m1CaizS/UwkJjhzMM73gWUpD3/vuWyrmjcPs05u6z6WK1cE6Hgf4RWItvFdnxf1
nRDamF/YJt+rS27FW9D5Eh7leIrkSrMC2si90veZkUXmeZ46A51jbzcbbwZOSZOD
fIXJc6nWncZV8SHd9OVb6aWFZyjIkgid894aPVOj8rgd0Y/wnh3XDYKqmq0nzn1w
hZSo3XDVAoGBAP2xRLKFw1HgJY5/5k2Xo08SXVtZqqlVcQiXlsraXAVZ7moy+WRc
zDWxLUyg4RmFMmPgWatEdqaWBoVmBejDQE1M2eKfTpO/22UmRAsw/0boW7iPQ7K6
Z4TC2pBoH+IQzi3ciDg2p2B8iQcikpynFkokq2iANF2/qHCIpp4ilfYPAoGBAOlS
bQYKNw0+HGXvg22WfaPFaBiNPQN2wdgrcgQkFohufB68T0TN0M1slB7R6l/vS325
bqEn0s7QffWPfEwDfPk41Cvd6ElaPes7VHsx4rRGyey4FzkTHPui+0T7sdW0ixCr
wZJev9j8TY5RAClxie8EEHfeL+BWng9qDtzIrlb3AoGBAMPdJvLFv0TpT1WzfXWO
i3Ey9ozer5pI8xn1H2DCMaWYBzBK5q0L0EXr4tN0qhXv9jWSMui91PVMgwBfAlTw
2iZUHSyQXjRIPfTcFFCnpY9zOc1GHrhQnjer0N8I5QS+gNB7oVf1KkieHZU6pgL4
JYdcxFHMGaH/pOYtOqaAgVMVAoGAQgil+nOhqQnPF7p1w+o3nMYd8/TlM7nEmt2Q
40MjbXF3h2tcM+jcE4eLVD2sy4H6J5b3jHys2QOA4qK9VvYVxKMkyVWAjGIR7CVa
f5NayhLOy0Q+rlSOe1lhK+DgL89tHEa//iD6wvqFKKYcGZ6cnxzTXFlxy1g4W7x0
gF/7l3kCgYBnGMJ/Uixlv3Dai2qXWWaKhhCGf5Q9rj8Lgy5Hfeibyp1oZjri7Y1U
+cvlypiywVB0uMUEyfvsGjdNirQPwx6TKXfd+j9C4+Os9HA+EtGwrrFMsnA/Libt
s/S+GJeM3FVzbNx7CGDzf5pn6Y8+5xytIJ1kTF9BaO3sElDN2s8F8g==
-----END RSA PRIVATE KEY-----

-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux