| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Lou Picciano <loupicciano(at)comcast(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>, Srinivas Aji <srinivas(dot)aji(at)emc(dot)com> |
| Subject: | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present |
| Date: | 2011-09-23 13:55:43 |
| Message-ID: | 1316785695-sup-1595@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
Excerpts from Magnus Hagander's message of vie sep 23 10:39:46 -0300 2011:
> On Fri, Sep 23, 2011 at 14:49, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > On Fri, Sep 23, 2011 at 8:38 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> >> On Fri, Sep 23, 2011 at 14:35, Lou Picciano <loupicciano(at)comcast(dot)net> wrote:
> >>> On Wed, Aug 31, 2011 at 11:59, Srinivas Aji <srinivas(dot)aji(at)emc(dot)com> wrote:
> >>>>
> >>>> The following bug has been logged online:
> >>>>
> >>>> Bug reference: 6189
> >>>> Logged by: Srinivas Aji
> >>>> Email address: srinivas(dot)aji(at)emc(dot)com
> >>>> PostgreSQL version: 9.0.4
> >>>> Operating system: Linux
> >>>> Description: libpq: sslmode=require verifies server certificate if
> >>>> root.crt is present
> >>> So basically, the behaviour that is by design is:
> >>> * require: if certificate exists, verify. if certificate doesn't
> >>> exist, don't verify.
> >>> * verify-ca: if certificate exists, verify. if certificate doesn't
> >>> exist, disconnect.
> > I definitely don't think we should back-patch a behavior change that
> > silently weakens security. That's not good.
> >
> > But what about not doing it in master, either? It seems to me that we
> > could avoid ever breaking backward compatibility by adding a new
> > option "require-no-verify".
>
> Hmm. Intersting. and we could then deprecate the "require" option and
> kill it off 4 releases later or so, I guess...
So we would have
sslmode=verify-ca / require-no-verify / verify-full / disable / allow / prefer
?
This seems strange to me. Why not have a second option to let the user
indicate the desired SSL verification?
sslmode=disable/allow/prefer/require
sslverify=none/ca-if-present/ca/full
(ca-if-present being the current "require" sslmode behavior).
We could then deprecate sslmode=verify and verify-full and have them be
synonyms of sslmode=require and corresponding sslverify.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2011-09-23 14:31:37 | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present |
| Previous Message | Magnus Hagander | 2011-09-23 13:39:46 | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2011-09-23 14:12:39 | Re: [pgsql-advocacy] Unlogged vs. In-Memory |
| Previous Message | Cédric Villemain | 2011-09-23 13:48:39 | Re: new createuser option for replication role |