<!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.139 2002/09/25 21:16:10 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.140 2002/09/26 04:41:54 momjian Exp $
-->
<Chapter Id="runtime">
Enter the old passphrase to unlock the existing key. Now do
<programlisting>
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
+chmod og-rwx cert.pem
cp cert.pem <replaceable>$PGDATA</replaceable>/server.key
cp cert.cert <replaceable>$PGDATA</replaceable>/server.crt
</programlisting>
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.14 2002/09/04 23:31:34 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15 2002/09/26 04:41:54 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH))
{
+ return 0;
+#ifdef NOT_USED
+ /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */
postmaster_error("could not read root cert file (%s): %s",
fnbuf, SSLerrmessage());
ExitPostmaster(1);
+#endif
}
SSL_CTX_set_verify(SSL_context,
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.13 2002/09/22 20:57:21 petere Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.14 2002/09/26 04:41:55 momjian Exp $
*
* NOTES
* The client *requires* a valid server certificate. Since
pwd->pw_dir);
if (stat(fnbuf, &buf) == -1)
{
+ return 0;
+#ifdef NOT_USED
+ /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not read root certificate list (%s): %s\n"),
fnbuf, strerror(errno));
return -1;
+#endif
}
if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0))
{
/* check the certificate chain of the server */
+#ifdef NOT_USED
+ /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */
/*
* this eliminates simple man-in-the-middle attacks and simple
* impersonations
close_SSL(conn);
return -1;
}
+#endif
/* pull out server distinguished and common names */
conn->peer = SSL_get_peer_certificate(conn->ssl);
/* verify that the common name resolves to peer */
+#ifdef NOT_USED
+ /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */
/*
* this is necessary to eliminate man-in-the-middle attacks and
* impersonations where the attacker somehow learned the server's
close_SSL(conn);
return -1;
}
+#endif
return 0;
}
projects / postgresql / commitdiff