Participants
Cary Huang
Cary Huang
Chris Bandy
Chris Bandy
Attachments
Thread Outline
#1Cary HuangCary Huang
Mar 02, 2020
#2Chris BandyChris Bandyto Cary Huang (#1)
Mar 03, 2020
#3Cary HuangCary Huangto Chris Bandy (#2)
Mar 03, 2020

[PATCH] Documentation bug related to client authentication using TLS certificate

Started by Cary Huangalmost 6 years ago3 messages
#1Cary Huang
Cary Huang
cary.huang@highgo.ca
1 attachment(s)

Hi

I found a document bug about client authentication using TLS certificate. When clientcert authentication is enabled in pg_hba.conf, libpq does not verify that the common name in certificate matches database username like it is described in the documentation before allowing client connection.

Instead, when sslmode is set to “verify-full”, libpq will verify if the server host name matches the common name in client certificate. When sslmode is set to “verify-ca”, libpq will verify that the client is trustworthy by checking the certificate trust chain up to the root certificate and it does not verify server hostname and certificate common name match in this case.

The attached patch corrects the clientcert authentication description in the documentation

cheers

Cary Huang

-------------

HighGo Software Inc. (Canada)

mailto:cary.huang@highgo.ca

http://www.highgo.ca

Attachments:

client_cert_auth.patchapplication/octet-stream; name=client_cert_auth.patchDownload
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5f1eec78fb..ec4d637a12 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2046,9 +2046,12 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
     authentication, the authentication option <literal>clientcert</literal> is
     assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
     and it cannot be turned off since a client certificate is necessary for this
-    method. What the <literal>cert</literal> method adds to the basic
-    <literal>clientcert</literal> certificate validity test is a check that the
-    <literal>cn</literal> attribute matches the database user name.
+    method. If sslmode is set to <literal>verify-full</literal>, libpq will verify
+    that the server host name matches the <literal>cn</literal> stored in the 
+    client certificate. If sslmode is set to <literal>verify-ca</literal>, libpq
+    will verify that the client is trustworthy by checking the certificate chain
+    up to the root certificate and it does not verify server hostname and client
+    certificate common name match.
    </para>
   </sect1>
Import Notes
Reply to msg id not found:
#2Chris Bandy
Chris Bandy
bandy.chris@gmail.com
In reply to: Cary Huang (#1)
Re: [PATCH] Documentation bug related to client authentication using TLS certificate

Hi, Cary.

On 3/2/20 1:06 PM, Cary Huang wrote:

Hi

I found a document bug about client authentication using TLS
certificate. When clientcert authentication is enabled in pg_hba.conf,
libpq does not verify that the *common name*in certificate
matches*database username*like it is described in the documentation
before allowing client connection.

Instead, when sslmode is set to “verify-full”, libpq will verify if the
*server host name*matches the *common name *in client certificate.

This sounds incorrect. My understanding is that the *server* host name
is always matched with the *server* common name.

When

sslmode is set to “verify-ca”, libpq will verify that the client is
trustworthy by checking the certificate trust chain up to the root
certificate and it does not verify *server hostname*and
certificate*common name *match in this case.

Similarly, libpq will verify the *server* is trustworthy by checking the
*server* certificate up to the root. It does not verify that the host
name matches the common name in the *server* certificate.

In all cases, libpq is responsible for verifying the *server* is who it
claims to be.

-- Chris

#3Cary Huang
Cary Huang
cary.huang@highgo.ca
In reply to: Chris Bandy (#2)
Re: [PATCH] Documentation bug related to client authentication using TLS certificate

Hi Chris

Thank you for your feedback. You are right, libpq verify if the server is trustworthy by checking server certificate and check hostname matches with server common name when sslmode is verify-full, and it is already explained in another documentation page https://www.postgresql.org/docs/current/libpq-ssl.html

Having done another investigation, I found that the original documentation (https://www.postgresql.org/docs/current/auth-cert.html) is actually right. The server is indeed also checking the client certificate cn matches the database user name if the authentication method is set to "cert" 

Please disregard this patch.

thanks!

Cary

---- On Mon, 02 Mar 2020 19:23:37 -0800 Chris Bandy <bandy.chris@gmail.com> wrote ----

Hi, Cary.

On 3/2/20 1:06 PM, Cary Huang wrote:

Hi

I found a document bug about client authentication using TLS
certificate. When clientcert authentication is enabled in pg_hba.conf,
libpq does not verify that the *common name*in certificate
matches*database username*like it is described in the documentation
before allowing client connection.

Instead, when sslmode is set to “verify-full”, libpq will verify if the
*server host name*matches the *common name *in client certificate.

This sounds incorrect. My understanding is that the *server* host name
is always matched with the *server* common name.

When

sslmode is set to “verify-ca”, libpq will verify that the client is
trustworthy by checking the certificate trust chain up to the root
certificate and it does not verify *server hostname*and
certificate*common name *match in this case.

Similarly, libpq will verify the *server* is trustworthy by checking the
*server* certificate up to the root. It does not verify that the host
name matches the common name in the *server* certificate.

In all cases, libpq is responsible for verifying the *server* is who it
claims to be.

-- Chris

← Back to Topics