Tom Lane wrote:
Bruce Momjian <[EMAIL PROTECTED]> writes:
Agreed.  Requiring client root certificate checking is heavy-handed.
There seems to be some confusion here.  I didn't think anyone was
proposing that we force every installation to require client root
certificate checking.  What was under discussion (I thought) was
providing the ability for a DBA to *choose* to require it.
Of course I am not sure anyone knows how to get that information from
SSL.
Yeah, if OpenSSL doesn't support testing for this then the discussion
is moot..
I believe SSL is only capable of letting you know whether authentication for each end point was 1) not requested, 2) optional requested, or 3) required. Note that even if the authentication is required, there is no way to know how authentication was performed. For example, did it check the signature chain, requiring it to map to a public root certificate lists used by most web browsers? If so, did it check the contents of the certificate, or is only checking that it exists? Did it check a local key store that has a copy of the public key certificate? Or did it just log the certificate subject?

OpenSSH, for instance, presents the user with the finger print of the certificate and asks you:

$ ssh 192.168.0.1
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 3e:a7:0f:04:60:7e:8e:64:52:bf:81:92:a9:05:c7:36.
Are you sure you want to continue connecting (yes/no)?

While this certainly gives you the opportunity to challenge it, I don't know of any person who actually checks this finger print. Luckily, it stores it to ~/.ssh/known_hosts, and so the real issue is if it suddenly changes, you get a warning. Still, I've seen the warning before, and realized that "oh yes, that machine was upgraded, so it probably has a new public key". I have never personally checked the finger print against a known source. Authentication is only as strong as the person or process confirming it. In the case of trying to force a client to authenticate the server, this requires the client to know who the server is. As most clients will not know who the server is, I see clients implementing an OpenSSH-style authentication model (shown above), or providing their own no-op authentication routine to OpenSSL. I don't think it is worth it, and I don't think it would work.

Cheers,
mark

--
Mark Mielke <[EMAIL PROTECTED]>

Reply via email to