diff options
| author | Tom Lane | 2017-01-03 17:33:29 +0000 |
|---|---|---|
| committer | Tom Lane | 2017-01-03 17:33:29 +0000 |
| commit | 1e942c7474d7b5e4bfa04918d2f68d95902f17b3 (patch) | |
| tree | 27f471c858eec49e4ae0ed1d732cc1ecc407e01b /src | |
| parent | 3d54c16c24d7fd73c9fdfa4b2f946899f7f85e58 (diff) | |
Disable prompting for passphrase while (re)loading SSL config files.
OpenSSL's default behavior when loading a passphrase-protected key file
is to open /dev/tty and demand the password from there. It was kinda
sorta okay to allow that to happen at server start, but really that was
never workable in standard daemon environments. And it was a complete
fail on Windows, where the same thing would happen at every backend launch.
Yesterday's commit de41869b6 put the final nail in the coffin by causing
that to happen at every SIGHUP; even if you've still got a terminal acting
as the server's TTY, having the postmaster freeze until you enter the
passphrase again isn't acceptable.
Hence, override the default behavior with a callback that returns an empty
string, ensuring failure. Change the documentation to say that you can't
have a passphrase-protected server key, period.
If we can think of a production-grade way of collecting a passphrase from
somewhere, we might do that once at server startup and use this callback
to feed it to OpenSSL, but it's far from clear that anyone cares enough
to invest that much work in the feature. The lack of complaints about
the existing fractionally-baked behavior suggests nobody's using it anyway.
Discussion: https://postgr.es/m/[email protected]
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4a39d7f7467..45ad4120038 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -75,6 +75,7 @@ static DH *load_dh_file(int keylength); static DH *load_dh_buffer(const char *, size_t); static DH *generate_dh_parameters(int prime_len, int generator); static DH *tmp_dh_cb(SSL *s, int is_export, int keylength); +static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata); static int verify_cb(int, X509_STORE_CTX *); static void info_cb(const SSL *ssl, int type, int args); static bool initialize_ecdh(SSL_CTX *context, bool failOnError); @@ -204,6 +205,11 @@ be_tls_init(bool failOnError) SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* + * Override OpenSSL's default handling of passphrase-protected files. + */ + SSL_CTX_set_default_passwd_cb(context, ssl_passwd_cb); + + /* * Load and verify server's certificate and private key */ if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1) @@ -1061,6 +1067,29 @@ tmp_dh_cb(SSL *s, int is_export, int keylength) } /* + * Passphrase collection callback + * + * If OpenSSL is told to use a passphrase-protected server key, by default + * it will issue a prompt on /dev/tty and try to read a key from there. + * That's completely no good for a postmaster SIGHUP cycle, not to mention + * SSL context reload in an EXEC_BACKEND postmaster child. So override it + * with this dummy function that just returns an empty passphrase, + * guaranteeing failure. Later we might think about collecting a passphrase + * at server start and feeding it to OpenSSL repeatedly, but we'd still + * need this callback for that. + */ +static int +ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata) +{ + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("server's private key file requires a passphrase"))); + Assert(size > 0); + buf[0] = '\0'; + return 0; +} + +/* * Certificate verification callback * * This callback allows us to log intermediate problems during |