Tell openssl to include the names of the root certs the server trusts in

tglsfdc · tglsfdc · commit c3bf3bf2aa09 · 2010-05-26T15:52:37.000Z
requests for client certs.  This lets a client with a keystore select the
appropriate client certificate to send.  In particular, this is necessary
to get Java clients to work in all but the most trivial configurations.
Per discussion of bug #5468.

Craig Ringer
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.99 2010/02/26 02:00:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.100 2010/05/26 15:52:37 tgl Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -721,6 +721,7 @@ static void
 initialize_SSL(void)
 {
 	struct stat buf;
+	STACK_OF(X509_NAME) *root_cert_list = NULL;
 
 	if (!SSL_context)
 	{
@@ -810,7 +811,8 @@ initialize_SSL(void)
 						 ROOT_CERT_FILE)));
 		}
 	}
-	else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
+	else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 ||
+			 (root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL)
 	{
 		/*
 		 * File was there, but we could not load it. This means the file is
@@ -866,6 +868,13 @@ initialize_SSL(void)
 
 			ssl_loaded_verify_locations = true;
 		}
+
+		/* 
+		 * Tell OpenSSL to send the list of root certs we trust to clients in
+		 * CertificateRequests.  This lets a client with a keystore select the
+		 * appropriate client certificate to send to us.
+		 */
+		SSL_CTX_set_client_CA_list(SSL_context, root_cert_list);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.99 2010/02/26 02:00:42 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.100 2010/05/26 15:52:37 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -721,6 +721,7 @@ static void`
`721`	`721`	`initialize_SSL(void)`
`722`	`722`	`{`
`723`	`723`	`struct stat buf;`
	`724`	`+ STACK_OF(X509_NAME) *root_cert_list = NULL;`
`724`	`725`
`725`	`726`	`if (!SSL_context)`
`726`	`727`	`{`
`@@ -810,7 +811,8 @@ initialize_SSL(void)`
`810`	`811`	`ROOT_CERT_FILE)));`
`811`	`812`	`}`
`812`	`813`	`}`
`813`		`- else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)`
	`814`	`+ else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 \|\|`
	`815`	`+ (root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL)`
`814`	`816`	`{`
`815`	`817`	`/*`
`816`	`818`	`* File was there, but we could not load it. This means the file is`
`@@ -866,6 +868,13 @@ initialize_SSL(void)`
`866`	`868`
`867`	`869`	`ssl_loaded_verify_locations = true;`
`868`	`870`	`}`
	`871`	`+`
	`872`	`+ /*`
	`873`	`+ * Tell OpenSSL to send the list of root certs we trust to clients in`
	`874`	`+ * CertificateRequests. This lets a client with a keystore select the`
	`875`	`+ * appropriate client certificate to send to us.`
	`876`	`+ */`
	`877`	`+ SSL_CTX_set_client_CA_list(SSL_context, root_cert_list);`
`869`	`878`	`}`
`870`	`879`	`}`
`871`	`880`