upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-04-23 07:07:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src/backend/libpq
History
Tom Lane 6599d8f126 Allow root-owned SSL private keys in libpq, not only the backend. 
This change makes libpq apply the same private-key-file ownership
and permissions checks that we have used in the backend since commit
9a83564c5.  Namely, that the private key can be owned by either the
current user or root (with different file permissions allowed in the
two cases).  This allows system-wide management of key files, which
is just as sensible on the client side as the server, particularly
when the client is itself some application daemon.

Sync the comments about this between libpq and the backend, too.

Back-patch of a59c79564 and 50f03473e into all supported branches.

David Steele

Discussion: https://postgr.es/m/f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net
2022-03-02 11:57:02 -05:00
..
auth-scram.c Initial pgindent and pgperltidy run for v13. 2020-05-14 13:06:50 -04:00
auth.c Don't assume GSSAPI result strings are null-terminated. 2021-06-23 14:01:32 -04:00
be-fsstubs.c Fix snapshot reference leak if lo_export fails. 2021-11-03 10:54:36 +02:00
be-gssapi-common.c Don't assume GSSAPI result strings are null-terminated. 2021-06-23 14:01:32 -04:00
be-secure-common.c Allow root-owned SSL private keys in libpq, not only the backend. 2022-03-02 11:57:02 -05:00
be-secure-gssapi.c Fix up usage of krb_server_keyfile GUC parameter. 2020-12-30 11:38:42 -05:00
be-secure-openssl.c Set type identifier on BIO 2021-08-17 14:31:00 +02:00
be-secure.c Fix assorted issues in backend's GSSAPI encryption support. 2020-12-28 17:44:17 -05:00
crypt.c Initial pgindent and pgperltidy run for v13. 2020-05-14 13:06:50 -04:00
hba.c Fix pg_hba_file_rules for authentication method cert 2022-01-26 09:59:19 +01:00
ifaddr.c Update copyrights for 2020 2020-01-01 12:21:45 -05:00
Makefile Split all OBJS style lines in makefiles into one-line-per-entry style. 2019-11-05 14:41:07 -08:00
pg_hba.conf.sample gss: add missing references to hostgssenc and hostnogssenc 2020-05-25 20:19:28 -04:00
pg_ident.conf.sample Reformat the comments in pg_hba.conf and pg_ident.conf 2010-01-26 06:58:39 +00:00
pqcomm.c Revert "graceful shutdown" changes for Windows, in back branches only. 2022-01-25 12:17:40 -05:00
pqformat.c Update copyrights for 2020 2020-01-01 12:21:45 -05:00
pqmq.c Update copyrights for 2020 2020-01-01 12:21:45 -05:00
pqsignal.c Update copyrights for 2020 2020-01-01 12:21:45 -05:00
README.SSL Move EDH support to common files 2018-01-23 07:11:38 -05:00

README.SSL 

src/backend/libpq/README.SSL

SSL
===

>From the servers perspective:


  Receives StartupPacket
           |
           |
 (Is SSL_NEGOTIATE_CODE?) -----------  Normal startup
           |                  No
           |
           | Yes
           |
           |
 (Server compiled with USE_SSL?) ------- Send 'N'
           |                       No        |
           |                                 |
           | Yes                         Normal startup
           |
           |
        Send 'S'
           |
           |
      Establish SSL
           |
           |
      Normal startup





>From the clients perspective (v6.6 client _with_ SSL):


      Connect
         |
         |
  Send packet with SSL_NEGOTIATE_CODE
         |
         |
  Receive single char  ------- 'S' -------- Establish SSL
         |                                       |
         | '<else>'                              |
         |                                  Normal startup
         |
         |
   Is it 'E' for error  ------------------- Retry connection
         |                  Yes             without SSL
         | No
         |
   Is it 'N' for normal ------------------- Normal startup
         |                  Yes
         |
   Fail with unknown

---------------------------------------------------------------------------

Ephemeral DH
============

Since the server static private key ($DataDir/server.key) will
normally be stored unencrypted so that the database backend can
restart automatically, it is important that we select an algorithm
that continues to provide confidentiality even if the attacker has the
server's private key.  Ephemeral DH (EDH) keys provide this and more
(Perfect Forward Secrecy aka PFS).

N.B., the static private key should still be protected to the largest
extent possible, to minimize the risk of impersonations.

Another benefit of EDH is that it allows the backend and clients to
use DSA keys.  DSA keys can only provide digital signatures, not
encryption, and are often acceptable in jurisdictions where RSA keys
are unacceptable.

The downside to EDH is that it makes it impossible to use ssldump(1)
if there's a problem establishing an SSL session.  In this case you'll
need to temporarily disable EDH (see initialize_dh()).