Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present

<div style="font-family: Verdana; font-size: 12pt; color: #000000"><b>From: </b>"Magnus Hagander"
<magnus@hagander.net><br/><b>To: </b>"Srinivas Aji" <srinivas.aji@emc.com><br /><b>Cc:
</b>"PostgreSQL-development"<pgsql-hackers@postgresql.org><br /><b>Sent: </b>Friday, September 23, 2011 7:28:09
AM<br/><b>Subject: </b>[HACKERS] Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt
ispresent<br /><br />On Wed, Aug 31, 2011 at 11:59, Srinivas Aji <srinivas.aji@emc.com> wrote:<br />><br
/>>The following bug has been logged online:<br />><br />> Bug reference:      6189<br />> Logged by:      
  Srinivas Aji<br />> Email address:      srinivas.aji@emc.com<br />> PostgreSQL version: 9.0.4<br />>
Operatingsystem:   Linux<br />> Description:        libpq: sslmode=require verifies server certificate if<br />>
root.crtis present<br />> Details:<br />><br />...<br />><br />> The observed behaviour is a bit different.
Ifthe ~/.postgresql/root.crt<br />> file (or any other filename set through sslrootcert option) is found,<br />>
sslmode=requirealso performs the same level of certificate verification as<br />> verify-ca. The difference between
requireand verify-ca is that it is an<br />> error for the file to not exist when sslmode is verify-ca.<br /><br />I
lookedat this again, and I'm pretty sure we did this intentionally.<br />The idea being that before we had the
verify-ca/verify-fulloptions,<br />adding the root cert would enable the verification. And we didn't want<br />to turn
installationsthat previously did verify the certificate to<br />stop doing so in the new version.<br /><br />So
basically,the behaviour that is by design is:<br />* require: if certificate exists, verify. if certificate doesn't<br
/>exist,don't verify.<br />* verify-ca: if certificate exists, verify. if certificate doesn't<br />exist,
disconnect.<br/><br />The question is, have we had the new options long enough now that we<br />should change it so
thatwe don't verify the cert in the case of<br />cert-exists-but-verification-wasn't-explicitly-asked-for?<br /><br
/>Orshould we just update the documentation to mention how this works?<br /><br />-- <br /> Magnus Hagander<br /> Me:
http://www.hagander.net/<br/> Work: http://www.redpill-linpro.com/<br /><br />Magnus, If you're accepting votes on
this:I would say 'yes' - change the behavior to the most logically consistent ones; ie, isolate the verification bits a
bitmore explicitly. And, in documentation, indicate the deprecation of the old behavior.<br /><br />Our mileage, in
practicalterms, is that the perceived inconsistencies create a minor support hassle - we don't want to present any -
eventrivial - hurdle to adoption of SSL to our clients.<br /><br />Lou Picciano<br /></div>