Re: [PATCHES] doc patch for ssl in server
| От | Tom Lane |
|---|---|
| Тема | Re: [PATCHES] doc patch for ssl in server |
| Дата | |
| Msg-id | 12154.1095974788@sss.pgh.pa.us обсуждение исходный текст |
| Список | pgsql-hackers |
dom@happygiraffe.net (Dominic Mitchell) writes: > On Thu, Sep 23, 2004 at 04:37:52PM -0400, Tom Lane wrote: >> That last statement is not actually correct, is it? AFAICS we do tell >> SSL to enforce certificates if we find a valid root.crt file. > According to the docs[1], you also need > SSL_VERIFY_FAIL_IF_NO_PEER_CERT if you want requests that do not send a > certificate to be rejected. That terminates the connection immediately. > [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html Hmm. Reading the SSL man page more closely, you're right. This is a bug IMHO --- the intention was that presence of a root.crt file would force verification. What we wanted to do was to allow servers to operate without a root.crt file if they didn't care about verifying client certificates. It looks like the original coder simply got this backwards: the backend code doesn't set SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but the frontend code does, which is silly because the flag is ignored on the client side. Does anyone see a reason not to turn on SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the backend side? regards, tom lane
В списке pgsql-hackers по дате отправления: