Hello PostgreSQL developers, Martin Pitt [2010-08-17 6:49 +0200]: > I received a request to support system-wide root certificates in > libpq. Right now it only looks in ~/.postgresql/root.crt, but since > such certificates are usually set up system wide and be maintained by > the sysadmins, it would be very convenient if there was a fallback > lookup in /etc/postgresql/ or similar.
Patch attached against current git head. I tested it with both the default case (new option not specified), as well as with --with-ssl-root-cert-dir=/etc/postgresql-common, and confirm that in the latter case root.crt gets picked up from /etc/postgresql-common/ if it's not in ~/.postgresql/. Thank you for considering, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
From d04dbbdcd3aca55feed2193afbbb343505397e1a Mon Sep 17 00:00:00 2001
From: Martin Pitt <mp...@debian.org>
Date: Thu, 19 Aug 2010 23:05:54 +0200
Subject: [PATCH] Add system-wide fallback directory for SSL root certs
Add a --with-ssl-root-cert-dir=DIR configure option to provide a fall back
directory for root.crt and root.crl if they are not found in the home
directory. This allows sysadmins to install those files system wide.
If the option is not specified, behaviour is unchanged.
---
configure | 37 +++++++++++++++++++++++++++++++++++++
configure.in | 8 ++++++++
src/include/pg_config.h.in | 4 ++++
src/interfaces/libpq/fe-secure.c | 14 ++++++++++++++
4 files changed, 63 insertions(+), 0 deletions(-)
diff --git a/configure b/configure
index bd9b347..9cc0e9f 100755
--- a/configure
+++ b/configure
@@ -836,6 +836,7 @@ with_pam
with_ldap
with_bonjour
with_openssl
+with_ssl_root_cert_dir
with_readline
with_libedit_preferred
with_ossp_uuid
@@ -1532,6 +1533,9 @@ Optional Packages:
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
+ --with-ssl-root-cert-dir=DIR
+ system-wide directory for root.crt and root.crl, if
+ not present in home directory
--without-readline do not use GNU Readline nor BSD Libedit for editing
--with-libedit-preferred
prefer BSD Libedit over GNU Readline
@@ -5315,6 +5319,39 @@ $as_echo "$with_openssl" >&6; }
+
+
+# Check whether --with-ssl-root-cert-dir was given.
+if test "${with_ssl_root_cert_dir+set}" = set; then
+ withval=$with_ssl_root_cert_dir;
+ case $withval in
+ yes)
+ { { $as_echo "$as_me:$LINENO: error: argument required for --with-ssl-root-cert-dir option" >&5
+$as_echo "$as_me: error: argument required for --with-ssl-root-cert-dir option" >&2;}
+ { (exit 1); exit 1; }; }
+ ;;
+ no)
+ { { $as_echo "$as_me:$LINENO: error: argument required for --with-ssl-root-cert-dir option" >&5
+$as_echo "$as_me: error: argument required for --with-ssl-root-cert-dir option" >&2;}
+ { (exit 1); exit 1; }; }
+ ;;
+ *)
+
+ ;;
+ esac
+
+fi
+
+
+if test "x$with_ssl_root_cert_dir" != "x"; then
+
+cat >>confdefs.h <<_ACEOF
+#define SYSTEM_SSL_ROOT_PATH "$with_ssl_root_cert_dir"
+_ACEOF
+
+fi
+
+
#
# Readline
#
diff --git a/configure.in b/configure.in
index 7b09986..e8c4095 100644
--- a/configure.in
+++ b/configure.in
@@ -676,6 +676,14 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
AC_MSG_RESULT([$with_openssl])
AC_SUBST(with_openssl)
+PGAC_ARG_REQ(with, ssl-root-cert-dir,
+ [DIR], [system-wide directory for root.crt and root.crl, if not present in home directory],
+ [])
+if test "x$with_ssl_root_cert_dir" != "x"; then
+ AC_DEFINE_UNQUOTED([SYSTEM_SSL_ROOT_PATH], ["$with_ssl_root_cert_dir"],
+ [Define to the system-wide directory for root.crt and root.crl, if not present in home directory (--with-ssl-root-cert-dir=DIR)])
+fi
+
#
# Readline
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index fd169b6..46fdb0c 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -735,6 +735,10 @@
/* Define to 1 if strerror_r() returns a int. */
#undef STRERROR_R_INT
+/* Define to the system-wide directory for root.crt and root.crl, if not
+ present in home directory (--with-ssl-root-cert-dir=DIR) */
+#undef SYSTEM_SSL_ROOT_PATH
+
/* Define to 1 if your <sys/time.h> declares `struct tm'. */
#undef TM_IN_SYS_TIME
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 5764d2f..558a781 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -1061,7 +1061,14 @@ initialize_SSL(PGconn *conn)
if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
strncpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
else
+ {
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
+#ifdef SYSTEM_SSL_ROOT_PATH
+ /* try falling back to system wide location */
+ if (stat(fnbuf, &buf) != 0)
+ snprintf(fnbuf, sizeof(fnbuf), "%s/root.crt", SYSTEM_SSL_ROOT_PATH);
+#endif
+ }
if (stat(fnbuf, &buf) == 0)
{
@@ -1083,7 +1090,14 @@ initialize_SSL(PGconn *conn)
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
else
+ {
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
+#ifdef SYSTEM_SSL_ROOT_PATH
+ /* try falling back to system wide location */
+ if (stat(fnbuf, &buf) != 0)
+ snprintf(fnbuf, sizeof(fnbuf), "%s/root.crl", SYSTEM_SSL_ROOT_PATH);
+#endif
+ }
/* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
--
1.7.1
signature.asc
Description: Digital signature
