On Tue, Mar 19, 2013 at 09:37:18PM +0800, Craig Ringer wrote: > On 03/19/2013 08:39 PM, Stephen Frost wrote: > > Craig, > > > > * Craig Ringer (cr...@2ndquadrant.com) wrote: > >> Yep, in most applications I've seen you usually store a list of > >> authorized SubjectDNs or you just use your own self-signed root and > >> issue certs from it. > > > > Even with a self-signed root issuing certs, you need to map the > > individual cert to a PG user in some fashion. > > > > The more I look a this, the more it looks like trying to use > intermediate CAs as authentication roots is largely wrong anyway. We > should document this with something like: > > NOTE: Only self-signed root CA certificates should be added to > ssl_ca_file. If you add an intermediate CA certificate (one that's not > self-signed) then PostgreSQL will not be able to validate client > certificates against it because it will not have access to the full > certificate chain. You can't fix that by adding the full certificate > chain then PostgreSQL will then accept client certificates trusted by > any member of the chain, including the root, so the effect is the same > as placing only the root certificate in the file. It is not currently > possible to trust certificates signed by an intermediate CA but not the > parents in its certificate chain. > > ... plus some explanation that having a valid trusted cert doesn't mean > you're authorized for access, you still have to meet the requrements in > pg_hba.conf, have a valid username/password or match an authorized > certificate DN (depending on config), etc. > > As far as I'm concerned that's the immediate problem fixed. It may be > worth adding a warning on startup if we find non-self-signed certs in > root.crt too, something like 'WARNING: Intermediate certificate found in > root.crt. This does not do what you expect and your configuration may be > insecure; see the Client Certificates chapter in the documentation.'
Yes, I like this. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers