ssl client cert authentication

Ray Stell <stellr@cns.vt.edu> writes:

Someone asked about ssl client cert auth recently. I got
this to work, but something tripped me up.

http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

states (very clearly, btw) that, "To require the client to supply a
trusted certificate, place certificates of the certificate authorities
(CAs) you trust in the file root.crt in the data directory." I had
ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

This begs the question, why two copies of the same file?

The one in ~/.postgresql is for client usage. The one in $PGDATA is for
the server's use. There's no reason to assume they'd be the same.

regards, tom lane

On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:

Ray Stell <stellr@cns.vt.edu> writes:

Someone asked about ssl client cert auth recently. I got
this to work, but something tripped me up.

http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

states (very clearly, btw) that, "To require the client to supply a
trusted certificate, place certificates of the certificate authorities
(CAs) you trust in the file root.crt in the data directory." I had
ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

This begs the question, why two copies of the same file?

The one in ~/.postgresql is for client usage. The one in $PGDATA is for
the server's use. There's no reason to assume they'd be the same.

regards, tom lane

I think I see where I went off:
31.17. SSL Support
Changing this to:
31.17. Client SSL Support
would be helpful. Also,
31.17.4. SSL File Usage
might be:
31.17.4. SSL Client File Usage
They did this in the server section, so I'm not completely nuts:
17.8.2. SSL Server File Usage

In hindsight it is very clear. Chapter 17 is on the server and 31 is on the
client. Adding those section title words would have helped me stay on
course.

Another way of providing clue would be to add $PGDATA somewhere in Table
17-3. SSL Server File Usage. They did that sort of thing on the client side
in Table 31-4. Libpq/Client SSL File Usage.

Ray Stell wrote:

On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:

Ray Stell <stellr@cns.vt.edu> writes:

Someone asked about ssl client cert auth recently. I got
this to work, but something tripped me up.

http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

states (very clearly, btw) that, "To require the client to supply a
trusted certificate, place certificates of the certificate authorities
(CAs) you trust in the file root.crt in the data directory." I had
ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.

This begs the question, why two copies of the same file?

The one in ~/.postgresql is for client usage. The one in $PGDATA is for
the server's use. There's no reason to assume they'd be the same.

regards, tom lane

I think I see where I went off:
31.17. SSL Support
Changing this to:
31.17. Client SSL Support
would be helpful. Also,
31.17.4. SSL File Usage
might be:
31.17.4. SSL Client File Usage
They did this in the server section, so I'm not completely nuts:
17.8.2. SSL Server File Usage

In hindsight it is very clear. Chapter 17 is on the server and 31 is on the
client. Adding those section title words would have helped me stay on
course.

Another way of providing clue would be to add $PGDATA somewhere in Table
17-3. SSL Server File Usage. They did that sort of thing on the client side
in Table 31-4. Libpq/Client SSL File Usage.

These are all very good ideas and I have applied them for 9.1 in the
attached patch. I also found a few libpq titles that needed
capitalization, which is also in the patch. Thanks for the ideas.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +