Allow SSL to work withouth client-side certificate infrastructure.

bmomjian · bmomjian · commit 15b95cf87270 · 2002-09-26T04:41:55.000Z
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.139 2002/09/25 21:16:10 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.140 2002/09/26 04:41:54 momjian Exp $
 -->
 
 <Chapter Id="runtime">
@@ -2876,6 +2876,7 @@ openssl rsa -in privkey.pem -out cert.pem
    Enter the old passphrase to unlock the existing key. Now do
 <programlisting>
 openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
+chmod og-rwx cert.pem
 cp cert.pem <replaceable>$PGDATA</replaceable>/server.key
 cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt
 </programlisting>
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.14 2002/09/04 23:31:34 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15 2002/09/26 04:41:54 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -642,9 +642,13 @@ initialize_SSL(void)
 	snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
 	if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))
 	{
+		return 0;
+#ifdef NOT_USED
+		/* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
 		postmaster_error("could not read root cert file (%s): %s",
 						 fnbuf, SSLerrmessage());
 		ExitPostmaster(1);
+#endif
 	}
 	SSL_CTX_set_verify(SSL_context,
 					SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.13 2002/09/22 20:57:21 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.14 2002/09/26 04:41:55 momjian Exp $
  *
  * NOTES
  *	  The client *requires* a valid server certificate.  Since
@@ -726,10 +726,14 @@ initialize_SSL(PGconn *conn)
 				 pwd->pw_dir);
 		if (stat(fnbuf, &buf) == -1)
 		{
+			return 0;
+#ifdef NOT_USED
+			/* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
 			printfPQExpBuffer(&conn->errorMessage,
 				 libpq_gettext("could not read root certificate list (%s): %s\n"),
 							  fnbuf, strerror(errno));
 			return -1;
+#endif
 		}
 		if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0))
 		{
@@ -789,6 +793,8 @@ open_client_SSL(PGconn *conn)
 
 	/* check the certificate chain of the server */
 
+#ifdef NOT_USED
+	/* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
 	/*
 	 * this eliminates simple man-in-the-middle attacks and simple
 	 * impersonations
@@ -802,6 +808,7 @@ open_client_SSL(PGconn *conn)
 		close_SSL(conn);
 		return -1;
 	}
+#endif
 
 	/* pull out server distinguished and common names */
 	conn->peer = SSL_get_peer_certificate(conn->ssl);
@@ -824,6 +831,8 @@ open_client_SSL(PGconn *conn)
 
 	/* verify that the common name resolves to peer */
 
+#ifdef NOT_USED
+	/* CLIENT CERTIFICATES NOT REQUIRED  bjm 2002-09-26 */
 	/*
 	 * this is necessary to eliminate man-in-the-middle attacks and
 	 * impersonations where the attacker somehow learned the server's
@@ -834,6 +843,7 @@ open_client_SSL(PGconn *conn)
 		close_SSL(conn);
 		return -1;
 	}
+#endif
 
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.14 2002/09/04 23:31:34 tgl Exp $`
	`14`	`+ * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15 2002/09/26 04:41:54 momjian Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -642,9 +642,13 @@ initialize_SSL(void)`
`642`	`642`	`snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);`
`643`	`643`	`if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))`
`644`	`644`	`{`
	`645`	`+ return 0;`
	`646`	`+#ifdef NOT_USED`
	`647`	`+ /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */`
`645`	`648`	`postmaster_error("could not read root cert file (%s): %s",`
`646`	`649`	`fnbuf, SSLerrmessage());`
`647`	`650`	`ExitPostmaster(1);`
	`651`	`+#endif`
`648`	`652`	`}`
`649`	`653`	`SSL_CTX_set_verify(SSL_context,`
`650`	`654`	`SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE, verify_cb);`