improve ssl error code, 2147483650

Поиск
Список
Период
Сортировка
От David Zhang
Тема improve ssl error code, 2147483650
Дата
Msg-id b6fb018b-f05c-4afd-abd3-318c649faf18@highgo.ca
обсуждение исходный текст
Ответы Re: improve ssl error code, 2147483650  (Heikki Linnakangas <hlinnaka@iki.fi>)
Re: improve ssl error code, 2147483650  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-hackers
Дерево обсуждения 
Hi Hackers,

When configuring SSL on the Postgres server side with the following 
information:

ssl = on
ssl_ca_file = 'root_ca.crt'
ssl_cert_file = 'server-cn-only.crt'
ssl_key_file = 'server-cn-only.key'

If a user makes a mistake, for example, accidentally using 'root_ca.crl' 
instead of 'root_ca.crt', Postgres will report an error like the one below:
FATAL:  could not load root certificate file "root_ca.crl": SSL error 
code 2147483650

Here, the error code 2147483650 is not very helpful for the user. The 
reason is that Postgres is missing the initial SSL file check before 
passing it to the OpenSSL API. For example:

     if (ssl_ca_file[0])
     {
         STACK_OF(X509_NAME) * root_cert_list;

         if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) 
!= 1 ||
             (root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == 
NULL)
         {
             ereport(isServerStart ? FATAL : LOG,
                     (errcode(ERRCODE_CONFIG_FILE_ERROR),
                      errmsg("could not load root certificate file 
\"%s\": %s",
                             ssl_ca_file, SSLerrmessage(ERR_get_error()))));
             goto error;
         }

The SSL_CTX_load_verify_locations function in OpenSSL will return NULL 
if there is a system error, such as "No such file or directory" in this 
case:

const char *ERR_reason_error_string(unsigned long e)
{
     ERR_STRING_DATA d, *p = NULL;
     unsigned long l, r;

     if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
         return NULL;
     }

     /*
      * ERR_reason_error_string() can't safely return system error strings,
      * since openssl_strerror_r() needs a buffer for thread safety, and we
      * haven't got one that would serve any sensible purpose.
      */
     if (ERR_SYSTEM_ERROR(e))
         return NULL;

It would be better to perform a simple SSL file check before passing the 
SSL file to OpenSSL APIs so that the system error can be captured and a 
meaningful message provided to the end user.

Attached is a simple patch to help address this issue for ssl_ca_file, 
ssl_cert_file, and ssl_crl_file. With this patch, a similar test will 
return something like the message below:
FATAL:  could not access certificate file "root_ca.crl": No such file or 
directory

I believe this can help end users quickly realize the mistake.


Thank you,
David
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: Stack overflow issue
Следующее
От: Masahiko Sawada
Дата:
Сообщение: Re: Improve eviction algorithm in ReorderBuffer