SSL client crt verification
Tried doc search, pgsql-general and #postgresql.
Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP.
Using a test server.crt and server.key, as described in 8.0 docs 16.8, I
can activate SSL encryption (WinXP 8.0.3 psql reports "SSL Connection" at
connect), and as expected, the server log reports that root.crt is not found.
If I copy server.crt to root.crt and start up server again, the missing
root.crt message disappears. But I can still connect with psql with no postgresql.crt
on client (docs 27.13). Apparently, the root.crt, which in this case is
a copy of server.crt, is not interpreted as a CA crt, but how does the server
know? Isn't a CA cert just a self signed crt? Why is there not a warning
that client authentication will not take place, when it apparently does
not? Does the server only check that a root.crt file is present, and not
that is contains valid information?
Comments appreciated
KPL
"Knut P Lehre" <k.p.lehre@world-online.no> writes:
Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP. Using a
test server.crt and server.key, as described in 8.0 docs 16.8, I can
activate SSL encryption (WinXP 8.0.3 psql reports "SSL Connection"
at connect), and as expected, the server log reports that root.crt
is not found. If I copy server.crt to root.crt and start up server
again, the missing root.crt message disappears. But I can still
connect with psql with no postgresql.crt on client (docs
27.13). Apparently, the root.crt, which in this case is a copy of
server.crt, is not interpreted as a CA crt, but how does the server
know? Isn't a CA cert just a self signed crt? Why is there not a
warning that client authentication will not take place, when it
apparently does not? Does the server only check that a root.crt file
is present, and not that is contains valid information?
You really need a separate root CA cert and server key. The server
key should be signed by the root CA, which is self-signed. The root
CA private key should be kept secure somewhere else--the database
server doesn't need access to it.
I just went though the whole exercise of creating a CA and setting up
an app for client cert authentication, so I am reasonably sure the
above is your problem.
For client auth to work, you need:
* Root CA certificate available to both client and server
* Server cert signed by root CA, with CN=server hostname
* Client cert signed by root CA, available to client to present to
server.
-Doug
Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP. Using a
test server.crt and server.key, as described in 8.0 docs 16.8, I can
activate SSL encryption (WinXP 8.0.3 psql reports "SSL Connection"
at connect), and as expected, the server log reports that root.crt
is not found. If I copy server.crt to root.crt and start up server
again, the missing root.crt message disappears. But I can still
connect with psql with no postgresql.crt on client (docs
27.13). Apparently, the root.crt, which in this case is a copy of
server.crt, is not interpreted as a CA crt, but how does the server
know? Isn't a CA cert just a self signed crt? Why is there not a
warning that client authentication will not take place, when it
apparently does not? Does the server only check that a root.crt file
is present, and not that is contains valid information?You really need a separate root CA cert and server key. The server
key should be signed by the root CA, which is self-signed. The root
CA private key should be kept secure somewhere else--the database
server doesn't need access to it.I just went though the whole exercise of creating a CA and setting up
an app for client cert authentication, so I am reasonably sure the
above is your problem.For client auth to work, you need:
* Root CA certificate available to both client and server
* Server cert signed by root CA, with CN=server hostname
* Client cert signed by root CA, available to client to present to
server.-Doug
Thanks for your comments.
I seem to get SSL client authentication to work with a 8.0.3 server on win32
(a client crt needed for connection), but still not with the 7.4.8 server
on Red Hat EL4, even with separate root CA subject and server.crt subject,
as you suggest.
Interestingly, version 8 docs (16.8) mention the root.crt file needed for
client auth, while 7.4 docs do not mention it. Similarly, the 27.13 section
on libpq SSL support in 8 docs is not there in the 7.4 docs. Maybe my problem
is that 7.4.8 doesn't support client authentication? However, that doesn't
fit with the fact that the 7.4.8 server log reports that it will not verify
client certificates if the root.crt file is missing in the server data directory.
Have I missed some points regarding linux or 7.4 SSL setup? From docs I
understand that I only have to set SSL = true in postgresql.conf to switch
it on (in addition to providing the crt and key files).
KPL
Import Notes
Resolved by subject fallback
To the last sentence in my last post "Re: SSL client crt verification":
"From docs I understand that I only have to set SSL = true in postgresql.conf
to switch it on (in addition to providing the crt and key files)."
I should have added:
"...and using "hostssl" in pg_hba.conf (although "host" also works on my
8.0.3 server, presumably because of the default sslmode=prefer in libpq)."
KPL
Import Notes
Resolved by subject fallback
