Ray Stell wrote:
> On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> > Ray Stell <stellr@cns.vt.edu> writes:
> > > Someone asked about ssl client cert auth recently. I got
> > > this to work, but something tripped me up.
> >
> > > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
> >
> > > states (very clearly, btw) that, "To require the client to supply a
> > > trusted certificate, place certificates of the certificate authorities
> > > (CAs) you trust in the file root.crt in the data directory." I had
> > > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
> >
> > > This begs the question, why two copies of the same file?
> >
> > The one in ~/.postgresql is for client usage. The one in $PGDATA is for
> > the server's use. There's no reason to assume they'd be the same.
> >
> > regards, tom lane
>
> I think I see where I went off:
> 31.17. SSL Support
> Changing this to:
> 31.17. Client SSL Support
> would be helpful. Also,
> 31.17.4. SSL File Usage
> might be:
> 31.17.4. SSL Client File Usage
> They did this in the server section, so I'm not completely nuts:
> 17.8.2. SSL Server File Usage
>
> In hindsight it is very clear. Chapter 17 is on the server and 31 is on the
> client. Adding those section title words would have helped me stay on
> course.
>
> Another way of providing clue would be to add $PGDATA somewhere in Table
> 17-3. SSL Server File Usage. They did that sort of thing on the client side
> in Table 31-4. Libpq/Client SSL File Usage.
These are all very good ideas and I have applied them for 9.1 in the
attached patch. I also found a few libpq titles that needed
capitalization, which is also in the patch. Thanks for the ideas.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index fe661b8..1606a56 100644
*** /tmp/pgdiff.4616/aPwGCb_libpq.sgml Mon Jan 17 21:29:06 2011
--- doc/src/sgml/libpq.sgml Mon Jan 17 21:04:29 2011
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6641,6647 ****
</para>
<sect2 id="libq-ssl-certificates">
! <title>Certificate verification</title>
<para>
By default, <productname>PostgreSQL</> will not perform any verification of
--- 6641,6647 ----
</para>
<sect2 id="libq-ssl-certificates">
! <title>Client Verification of Server Certificates</title>
<para>
By default, <productname>PostgreSQL</> will not perform any verification of
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6696,6702 ****
</sect2>
<sect2 id="libpq-ssl-clientcert">
! <title>Client certificates</title>
<para>
If the server requests a trusted client certificate,
--- 6696,6702 ----
</sect2>
<sect2 id="libpq-ssl-clientcert">
! <title>Client Certificates</title>
<para>
If the server requests a trusted client certificate,
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6738,6744 ****
</sect2>
<sect2 id="libpq-ssl-protection">
! <title>Protection provided in different modes</title>
<para>
The different values for the <literal>sslmode</> parameter provide different
--- 6738,6744 ----
</sect2>
<sect2 id="libpq-ssl-protection">
! <title>Protection Provided in Different Modes</title>
<para>
The different values for the <literal>sslmode</> parameter provide different
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6746,6752 ****
protection against three types of attacks:
</para>
<table id="libpq-ssl-protect-attacks">
! <title>SSL attacks</title>
<tgroup cols="2">
<thead>
<row>
--- 6746,6752 ----
protection against three types of attacks:
</para>
<table id="libpq-ssl-protect-attacks">
! <title>SSL Attacks</title>
<tgroup cols="2">
<thead>
<row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6821,6827 ****
</para>
<table id="libpq-ssl-sslmode-statements">
! <title>SSL mode descriptions</title>
<tgroup cols="4">
<thead>
<row>
--- 6821,6827 ----
</para>
<table id="libpq-ssl-sslmode-statements">
! <title>SSL Mode Descriptions</title>
<tgroup cols="4">
<thead>
<row>
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6912,6918 ****
</sect2>
<sect2 id="libpq-ssl-fileusage">
! <title>SSL File Usage</title>
<table id="libpq-ssl-file-usage">
<title>Libpq/Client SSL File Usage</title>
<tgroup cols="3">
--- 6912,6918 ----
</sect2>
<sect2 id="libpq-ssl-fileusage">
! <title>SSL Client File Usage</title>
<table id="libpq-ssl-file-usage">
<title>Libpq/Client SSL File Usage</title>
<tgroup cols="3">
*************** ldap://ldap.acme.com/cn=dbserver,cn=host
*** 6958,6964 ****
</sect2>
<sect2 id="libpq-ssl-initialize">
! <title>SSL library initialization</title>
<para>
If your application initializes <literal>libssl</> and/or
--- 6958,6964 ----
</sect2>
<sect2 id="libpq-ssl-initialize">
! <title>SSL Library Initialization</title>
<para>
If your application initializes <literal>libssl</> and/or
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 8911e99..9b92bec 100644
*** /tmp/pgdiff.4616/QgCZ3a_runtime.sgml Mon Jan 17 21:29:06 2011
--- doc/src/sgml/runtime.sgml Mon Jan 17 21:18:42 2011
*************** $ <userinput>kill -INT `head -1 /usr/loc
*** 1770,1796 ****
<tbody>
<row>
! <entry><filename>server.crt</></entry>
<entry>server certificate</entry>
<entry>sent to client to indicate server's identity</entry>
</row>
<row>
! <entry><filename>server.key</></entry>
<entry>server private key</entry>
<entry>proves server certificate was sent by the owner; does not indicate
certificate owner is trustworthy</entry>
</row>
<row>
! <entry><filename>root.crt</></entry>
<entry>trusted certificate authorities</entry>
<entry>checks that client certificate is
signed by a trusted certificate authority</entry>
</row>
<row>
! <entry><filename>root.crl</></entry>
<entry>certificates revoked by certificate authorities</entry>
<entry>client certificate must not be on this list</entry>
</row>
--- 1770,1796 ----
<tbody>
<row>
! <entry><filename>$PGDATA/server.crt</></entry>
<entry>server certificate</entry>
<entry>sent to client to indicate server's identity</entry>
</row>
<row>
! <entry><filename>$PGDATA/server.key</></entry>
<entry>server private key</entry>
<entry>proves server certificate was sent by the owner; does not indicate
certificate owner is trustworthy</entry>
</row>
<row>
! <entry><filename>$PGDATA/root.crt</></entry>
<entry>trusted certificate authorities</entry>
<entry>checks that client certificate is
signed by a trusted certificate authority</entry>
</row>
<row>
! <entry><filename>$PGDATA/root.crl</></entry>
<entry>certificates revoked by certificate authorities</entry>
<entry>client certificate must not be on this list</entry>
</row>