Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection
| От | Lou Picciano |
|---|---|
| Тема | Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection |
| Дата | |
| Msg-id | 88224499.27838527.1474456570201.JavaMail.zimbra@comcast.net обсуждение исходный текст |
| Ответ на | Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection (Heikki Linnakangas <hlinnaka@iki.fi>) |
| Ответы |
Re: BUG #14329: libpq doesn't send complete client certificate
chain on first SSL connection
Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection |
| Список | pgsql-bugs |
Heikki - Would also be happy to set up a test case for this.... Impacts us directly. Need a couple of days to do so, though. Please let me know your timeline. Lou Picciano ----- Original Message ----- From: "Heikki Linnakangas" <hlinnaka@iki.fi> To: kzuk@akamai.com, pgsql-bugs@postgresql.org Sent: Wednesday, September 21, 2016 4:06:33 AM Subject: Re: [BUGS] BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection On 09/20/2016 01:10 PM, kzuk@akamai.com wrote: > My educated guess is that in fe-secure-openssl.c in initialize_SSL function > whole certificate chain is loaded into SSL_context, but only client > certificate is loaded to SSL object. SSL object is created before loading > certificate chain into SSL_context, so it doesn't see this update. Only the > next connection, with new SSL object, picks up the certificate chain from > SSL_context. It doesn't explain why it works with OpenSSL 1.0.1 though, so > that may be a false trail. Yeah, that's probably what's happening. The OpenSSL man page for SSL_CTX_use_certificate() says: > The SSL_CTX_* class of functions loads the certificates and keys into > the SSL_CTX object ctx. The information is passed to SSL objects ssl > created from ctx with SSL_new by copying, so that changes applied to > ctx do not propagate to already existing SSL objects. It says the same in both 1.0.1 and 1.0.2 versions, though. I guess we have been relying on a bug that was fixed in 1.0.2, in that the intermediate CA certs were actually propagated from the context to the existing SSL object, contrary to what the man page says. I don't immediately see any relevant change in the OpenSSL commit logs between 1.0.1 and 1.0.2, though. I think we need to rearrange the code so that we call SSL_CTX_use_certificate() first, and SSL_new() after that. I wonder if that's going to break 1.0.1, though. Setting up a test environment with the required certificates and CAs is a bit tedious. Would you be interested in adding a test case for this in the SSL test suite, in src/test/ssl, and posting a patch for that? I can take a stab at fixing this, but having a test case ready would give me a head start. - Heikki -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
В списке pgsql-bugs по дате отправления: