Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, gunnar.bluth@pro-open.de, pgsql-bugs@lists.postgresql.org
Date: 2023-02-11T00:13:07Z
Lists: pgsql-bugs
Attachments
- WIP-handle-RSA-PSS-certs.patch (application/x-patch) patch
On Thu, Feb 9, 2023 at 2:46 PM Michael Paquier <michael@paquier.xyz> wrote: > I could get that some users would want to be able to use such certs, > though. At least we have one such user as of this thread. My take on this bug is that Gunnar doesn't need to solve the general "undef" case. They've got a certificate that's supposed to be using SHA512. It looks like OpenSSL 1.1.1 gives us a better API for grabbing that; see attached draft (not mesonified, needs independent verification), which fixes Heikki's certificate case at least. It's unfortunate that it doesn't reach back to 1.0.2, or to LibreSSL, but that doesn't appear to be a problem for Gunnar's situation, and you'd mentioned wanting to drop 1.0.2 support in HEAD soon anyway. Maybe someone really wants to use EdDSA certs, which aren't handled by that API. But this stopgap would buy us some time for the cryptographers to settle on things -- or at least to ask them? And if people want new crypto they're going to need to upgrade eventually. (Maybe by that point we'll know that X509_digest_sig() is in fact correct for bindings.) <strong opinions> - Our current departures from the spec (e.g. no tls-unique) mean that we already can't interoperate with standard SASL libraries. I've been trying to realign them, slowly. - Coming up with our own binding type takes time and resources away from other things this thread highlighted (the ability to force the use of a binding at the server side. better behavior when we can't actually compute a binding value. tls-exporter support...). - Worst case, using SHA256 for a future certificate type might be *catastrophically* wrong, but no one's going to warn us, and it's not going to be obvious to the DBA or their users that our nonstandard binding is in effect. - Best case, we choose exactly right, but if/when tls-server-end-point gets updated for EdDSA, the world will move on and we'll still have to support that vestigial binding type for the next X years. </strong opinions> --Jacob
Commits
-
Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates
- 88d606f7cc68 11.20 landed
- a40e7b75e689 12.15 landed
- 2eb8e54cc373 13.11 landed
- 864f80feadea 14.8 landed
- 5fd61055eacf 15.3 landed
- 9244c11afe23 16.0 landed