Thread

  1. sslmode patch

    Jon Jensen <jon@endpoint.com> — 2003-07-01T02:45:47Z

    Folks,
    
    At long last I put together a patch to support 4 client SSL negotiation
    modes (and replace the requiressl boolean). The four options were first
    spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
    to pgsql-hackers, archived here:
    
    http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
    
    My original less-flexible patch and the ensuing thread are archived at:
    
    http://dbforums.com/t623845.html
    
    Attached is a new patch, including documentation.
    
    To sum up, there's a new client parameter "sslmode" and environment 
    variable "PGSSLMODE", with these options:
    
    sslmode   description
    -------   -----------
    prevent   Unencrypted non-SSL only
    allow     Negotiate, prefer non-SSL
    prefer    Negotiate, prefer SSL (default)
    require   Require SSL
    
    The only change to the server is a new pg_hba.conf line type,
    "hostnossl", for specifying connections that are not allowed to use SSL
    (for example, to prevent servers on a local network from accidentally
    using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
    
    pg_hba.conf line types
    ----------------------
    host       applies to either SSL or regular connections
    hostssl    applies only to SSL connections
    hostnossl  applies only to regular connections
    
    These client and server options, the postgresql.conf ssl = false option,
    and finally the possibility of compiling with no SSL support at all,
    make quite a range of combinations to test. I threw together a test
    script to try many of them out. It's in a separate tarball with its
    config files, a patch to psql so it'll announce SSL connections even in
    absence of a tty, and the test output. The test is especially informative 
    when run on the same tty the postmaster was started on, so the FATAL: 
    errors during negotiation are interleaved with the psql client output.
    
    I saw Tom write that new submissions for 7.4 have to be in before midnight
    local time, and since I'm on the east coast in the US, this just makes it
    in before the bell. :)
    
    Jon
  2. Re: sslmode patch

    Bruce Momjian <pgman@candle.pha.pa.us> — 2003-07-01T19:11:59Z

    Jon Jensen wrote:
    > Folks,
    > 
    > At long last I put together a patch to support 4 client SSL negotiation
    > modes (and replace the requiressl boolean). The four options were first
    > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
    > to pgsql-hackers, archived here:
    > 
    > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
    > 
    > My original less-flexible patch and the ensuing thread are archived at:
    > 
    > http://dbforums.com/t623845.html
    > 
    > Attached is a new patch, including documentation.
    > 
    > To sum up, there's a new client parameter "sslmode" and environment 
    > variable "PGSSLMODE", with these options:
    > 
    > sslmode   description
    > -------   -----------
    > prevent   Unencrypted non-SSL only
    
    I think the word 'never' would be more appropriate than 'prevent'.
    
    > allow     Negotiate, prefer non-SSL
    
    I like 'allow'.  The never liked the 'prefernonssl/preferssl', though I
    may have been the one to suggest it.
    
    > prefer    Negotiate, prefer SSL (default)
    > require   Require SSL
    > 
    > The only change to the server is a new pg_hba.conf line type,
    > "hostnossl", for specifying connections that are not allowed to use SSL
    
    Should this be 'hostneverssl'?  Nossl implies to me that the host
    doesn't have SSL, which really isn't the issue.
    
    > (for example, to prevent servers on a local network from accidentally
    > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
    > 
    > pg_hba.conf line types
    > ----------------------
    > host       applies to either SSL or regular connections
    > hostssl    applies only to SSL connections
    > hostnossl  applies only to regular connections
    > 
    > These client and server options, the postgresql.conf ssl = false option,
    > and finally the possibility of compiling with no SSL support at all,
    > make quite a range of combinations to test. I threw together a test
    > script to try many of them out. It's in a separate tarball with its
    > config files, a patch to psql so it'll announce SSL connections even in
    > absence of a tty, and the test output. The test is especially informative 
    > when run on the same tty the postmaster was started on, so the FATAL: 
    > errors during negotiation are interleaved with the psql client output.
    
    Are out defaults right, that we prefer SSL if client and server can do
    it?  And now have hostnossl(or hostneverssl) to turn it off?
    
    > I saw Tom write that new submissions for 7.4 have to be in before midnight
    > local time, and since I'm on the east coast in the US, this just makes it
    > in before the bell. :)
    
    I think we can get this into 7.4.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  3. Re: sslmode patch

    Jon Jensen <jon@endpoint.com> — 2003-07-01T20:03:23Z

    On Tue, 1 Jul 2003, Bruce Momjian wrote:
    
    > > To sum up, there's a new client parameter "sslmode" and environment 
    > > variable "PGSSLMODE", with these options:
    > > 
    > > sslmode   description
    > > -------   -----------
    > > prevent   Unencrypted non-SSL only
    > 
    > I think the word 'never' would be more appropriate than 'prevent'.
    
    That sounds fine to me, though it breaks with the pattern of all four
    option words being verbs, allowing the user to think "I want to *** SSL
    mode for this connect."
    
    > > The only change to the server is a new pg_hba.conf line type,
    > > "hostnossl", for specifying connections that are not allowed to use SSL
    > 
    > Should this be 'hostneverssl'?  Nossl implies to me that the host
    > doesn't have SSL, which really isn't the issue.
    
    Well, perhaps. But by that logic, "hostssl" would imply that the client
    only will do SSL, which the server can't know. Since the server doesn't
    know anything about the client ahead of time, I don't read anything into
    it. I just think:
    
        host = apply this line for any kind of connection, 
        hostssl = apply this line only to SSL connections, and
        hostnossl = apply this line only to non-SSL connections.
    
    It's unfortunate there's not a more distinctive name for a "regular" or
    "plain" or "unencrypted" connection than "no SSL", but I don't think it's
    too big of a deal.
    
    > Are out defaults right, that we prefer SSL if client and server can do
    > it?  And now have hostnossl(or hostneverssl) to turn it off?
    
    Yes, I think the defaults are good. Users who don't bother to read the 
    docs will end up with secured connections, which is good, and users 
    seeking to avoid the SSL overhead can then read the docs and learn how, 
    and consider how secure their network really is. :)
    
    > I think we can get this into 7.4.
    
    That would be great. It would be good to hear someone else's take on the
    above, and also on the code itself, since I'm not a C expert. I was unable
    to build docs from SGML yesterday on my machine, and now that I got it to
    work, I find I made some markup errors which I've corrected and can
    resubmit whenever you're ready.
    
    Jon
    
    
  4. Re: sslmode patch

    Bruce Momjian <pgman@candle.pha.pa.us> — 2003-07-01T20:16:17Z

    Jon Jensen wrote:
    > On Tue, 1 Jul 2003, Bruce Momjian wrote:
    > 
    > > > To sum up, there's a new client parameter "sslmode" and environment 
    > > > variable "PGSSLMODE", with these options:
    > > > 
    > > > sslmode   description
    > > > -------   -----------
    > > > prevent   Unencrypted non-SSL only
    > > 
    > > I think the word 'never' would be more appropriate than 'prevent'.
    > 
    > That sounds fine to me, though it breaks with the pattern of all four
    > option words being verbs, allowing the user to think "I want to *** SSL
    > mode for this connect."
    
    Good point, how about "disable".  My point in objecting to "prevent" is
    that you don't really "prevent" a mode, I think.
    
    > > > The only change to the server is a new pg_hba.conf line type,
    > > > "hostnossl", for specifying connections that are not allowed to use SSL
    > > 
    > > Should this be 'hostneverssl'?  Nossl implies to me that the host
    > > doesn't have SSL, which really isn't the issue.
    > 
    > Well, perhaps. But by that logic, "hostssl" would imply that the client
    > only will do SSL, which the server can't know. Since the server doesn't
    > know anything about the client ahead of time, I don't read anything into
    > it. I just think:
    > 
    >     host = apply this line for any kind of connection, 
    >     hostssl = apply this line only to SSL connections, and
    >     hostnossl = apply this line only to non-SSL connections.
    > 
    > It's unfortunate there's not a more distinctive name for a "regular" or
    > "plain" or "unencrypted" connection than "no SSL", but I don't think it's
    > too big of a deal.
    
    Yes, hostnossl is probably best.
    
    > > Are out defaults right, that we prefer SSL if client and server can do
    > > it?  And now have hostnossl(or hostneverssl) to turn it off?
    > 
    > Yes, I think the defaults are good. Users who don't bother to read the 
    > docs will end up with secured connections, which is good, and users 
    > seeking to avoid the SSL overhead can then read the docs and learn how, 
    > and consider how secure their network really is. :)
    
    Good.
    
    > > I think we can get this into 7.4.
    > 
    > That would be great. It would be good to hear someone else's take on the
    > above, and also on the code itself, since I'm not a C expert. I was unable
    > to build docs from SGML yesterday on my machine, and now that I got it to
    > work, I find I made some markup errors which I've corrected and can
    > resubmit whenever you're ready.
    
    Tom agrees on the 7.4 target.  The docs can be done later, even during
    beta, though we discourage waiting that long.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  5. Re: sslmode patch

    Bruce Momjian <pgman@candle.pha.pa.us> — 2003-07-26T13:50:16Z

    Newest patch applied.  Thanks.
    
    ---------------------------------------------------------------------------
    
    
    
    Jon Jensen wrote:
    > Folks,
    > 
    > At long last I put together a patch to support 4 client SSL negotiation
    > modes (and replace the requiressl boolean). The four options were first
    > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
    > to pgsql-hackers, archived here:
    > 
    > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
    > 
    > My original less-flexible patch and the ensuing thread are archived at:
    > 
    > http://dbforums.com/t623845.html
    > 
    > Attached is a new patch, including documentation.
    > 
    > To sum up, there's a new client parameter "sslmode" and environment 
    > variable "PGSSLMODE", with these options:
    > 
    > sslmode   description
    > -------   -----------
    > disable   Unencrypted non-SSL only
    > allow     Negotiate, prefer non-SSL
    > prefer    Negotiate, prefer SSL (default)
    > require   Require SSL
    > 
    > The only change to the server is a new pg_hba.conf line type,
    > "hostnossl", for specifying connections that are not allowed to use SSL
    > (for example, to prevent servers on a local network from accidentally
    > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
    > 
    > pg_hba.conf line types
    > ----------------------
    > host       applies to either SSL or regular connections
    > hostssl    applies only to SSL connections
    > hostnossl  applies only to regular connections
    > 
    > These client and server options, the postgresql.conf ssl = false option,
    > and finally the possibility of compiling with no SSL support at all,
    > make quite a range of combinations to test. I threw together a test
    > script to try many of them out. It's in a separate tarball with its
    > config files, a patch to psql so it'll announce SSL connections even in
    > absence of a tty, and the test output. The test is especially informative 
    > when run on the same tty the postmaster was started on, so the FATAL: 
    > errors during negotiation are interleaved with the psql client output.
    > 
    > I saw Tom write that new submissions for 7.4 have to be in before midnight
    > local time, and since I'm on the east coast in the US, this just makes it
    > in before the bell. :)
    > 
    > Jon
    
    Content-Description: 
    
    [ Attachment, skipping... ]
    
    Content-Description: 
    
    [ Attachment, skipping... ]
    
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 6: Have you searched our list archives?
    > 
    >                http://archives.postgresql.org
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  6. Re: [PATCHES] sslmode patch

    Bruce Momjian <pgman@candle.pha.pa.us> — 2003-07-26T14:41:38Z

    I had a little problem apply this patch because it had an #ifdef for
    elog() parameter passing.  Because ereport() is now a macro, you can't
    do #ifdef inside a macro _call_, so I did it this way:
    
    
    #ifdef USE_SSL
    #define EREPORT_SSL_STATUS  (port->ssl ? "on" : "off")
    #else
    #define EREPORT_SSL_STATUS  "off"
    #endif
    
    	ereport(FATAL,
    		(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
    		 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
    			hostinfo, port->user_name, port->database_name, EREPORT_SSL_STATUS)));
    	break;
    
    Is this the proper way to do it?
     
    ---------------------------------------------------------------------------
    
    Bruce Momjian wrote:
    > 
    > Newest patch applied.  Thanks.
    > 
    > ---------------------------------------------------------------------------
    > 
    > 
    > 
    > Jon Jensen wrote:
    > > Folks,
    > > 
    > > At long last I put together a patch to support 4 client SSL negotiation
    > > modes (and replace the requiressl boolean). The four options were first
    > > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
    > > to pgsql-hackers, archived here:
    > > 
    > > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
    > > 
    > > My original less-flexible patch and the ensuing thread are archived at:
    > > 
    > > http://dbforums.com/t623845.html
    > > 
    > > Attached is a new patch, including documentation.
    > > 
    > > To sum up, there's a new client parameter "sslmode" and environment 
    > > variable "PGSSLMODE", with these options:
    > > 
    > > sslmode   description
    > > -------   -----------
    > > disable   Unencrypted non-SSL only
    > > allow     Negotiate, prefer non-SSL
    > > prefer    Negotiate, prefer SSL (default)
    > > require   Require SSL
    > > 
    > > The only change to the server is a new pg_hba.conf line type,
    > > "hostnossl", for specifying connections that are not allowed to use SSL
    > > (for example, to prevent servers on a local network from accidentally
    > > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
    > > 
    > > pg_hba.conf line types
    > > ----------------------
    > > host       applies to either SSL or regular connections
    > > hostssl    applies only to SSL connections
    > > hostnossl  applies only to regular connections
    > > 
    > > These client and server options, the postgresql.conf ssl = false option,
    > > and finally the possibility of compiling with no SSL support at all,
    > > make quite a range of combinations to test. I threw together a test
    > > script to try many of them out. It's in a separate tarball with its
    > > config files, a patch to psql so it'll announce SSL connections even in
    > > absence of a tty, and the test output. The test is especially informative 
    > > when run on the same tty the postmaster was started on, so the FATAL: 
    > > errors during negotiation are interleaved with the psql client output.
    > > 
    > > I saw Tom write that new submissions for 7.4 have to be in before midnight
    > > local time, and since I'm on the east coast in the US, this just makes it
    > > in before the bell. :)
    > > 
    > > Jon
    > 
    > Content-Description: 
    > 
    > [ Attachment, skipping... ]
    > 
    > Content-Description: 
    > 
    > [ Attachment, skipping... ]
    > 
    > > 
    > > ---------------------------(end of broadcast)---------------------------
    > > TIP 6: Have you searched our list archives?
    > > 
    > >                http://archives.postgresql.org
    > 
    > -- 
    >   Bruce Momjian                        |  http://candle.pha.pa.us
    >   pgman@candle.pha.pa.us               |  (610) 359-1001
    >   +  If your life is a hard drive,     |  13 Roberts Road
    >   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  7. Re: [PATCHES] sslmode patch

    Tom Lane <tgl@sss.pgh.pa.us> — 2003-07-26T15:14:46Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > I had a little problem apply this patch because it had an #ifdef for
    > elog() parameter passing.  Because ereport() is now a macro, you can't
    > do #ifdef inside a macro _call_, so I did it this way:
    
    I don't think a non-SSL-enabled build need be pointing that out in every
    error message --- the SSL phrase shouldn't even be there in the message.
    Accordingly, I'd be inclined to do this:
    
    #ifdef USE_SSL
        ereport(FATAL,
            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                    hostinfo, port->user_name, port->database_name,
                    (port->ssl ? gettext("SSL on") : gettext("SSL off")))));
    #else
        ereport(FATAL,
            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
                    hostinfo, port->user_name, port->database_name)));
    #endif
    
    This approach is also more localizable.
    
    			regards, tom lane
    
    
  8. Re: [PATCHES] sslmode patch

    Bruce Momjian <pgman@candle.pha.pa.us> — 2003-07-26T15:22:45Z

    Excellent idea.  Patch attached and applied.
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I had a little problem apply this patch because it had an #ifdef for
    > > elog() parameter passing.  Because ereport() is now a macro, you can't
    > > do #ifdef inside a macro _call_, so I did it this way:
    > 
    > I don't think a non-SSL-enabled build need be pointing that out in every
    > error message --- the SSL phrase shouldn't even be there in the message.
    > Accordingly, I'd be inclined to do this:
    > 
    > #ifdef USE_SSL
    >     ereport(FATAL,
    >         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
    >          errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
    >                 hostinfo, port->user_name, port->database_name,
    >                 (port->ssl ? gettext("SSL on") : gettext("SSL off")))));
    > #else
    >     ereport(FATAL,
    >         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
    >          errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
    >                 hostinfo, port->user_name, port->database_name)));
    > #endif
    > 
    > This approach is also more localizable.
    > 
    > 			regards, tom lane
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 6: Have you searched our list archives?
    > 
    >                http://archives.postgresql.org
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
  9. Sorry/spam - how do you unsubscribe?

    Steven Vajdic <svajdic@asc.corp.mot.com> — 2003-07-28T04:06:14Z