Client TLS with host and hostssl #105

Closed
trourance opened this Issue Jan 25, 2016 · 9 comments

Comments

Projects
None yet
2 participants
@trourance

Hi,

We are trying to migrate our stunnel/pgbouncer config to pgbouncer using the latest 1.7 version.
We have tried to use the hba auth type as well, as we have some connections that must use SSL and some of them not.
However, if we set the parameter client_tls_sslmode=verify-full in the config file and a record with host in hba file, pgbouncer force the connection with TLS.
On the other hand, if we set the parameter client_tls_sslmode=allow in the config file and a record with hostssl in hba file, pgbouncer rejects connection with an error message certificate: psql: SSL error: certificate verify failed
and a trace in the log file: WARNING TLS handshake error: handshake failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
But in the documentation:

allow
If client requests TLS, it is used. If not, plain TCP is used. If client uses client-certificate, it is not validated.

So, at the moment we were not able to configure both type of connections, with and without SSL when client_tls_sslmode is set.

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 8, 2016

Contributor

verify-ca/full require valid client certs, allow/require allow also connections without client cert.

But why should they allow invalid client certs? The fix you need is to stop sending client certs.

I'm not completely against changing that, but I'd like to have good reason for it.

Reason to keep current behaviour is to support use of HBA and ssl-mode=allow to have databases ssl+cert-auth, ssl+password-auth, and plain tcp in one config. This seems currently broken but I rather make that work, than support use of invalid client certs when not needed.

Contributor

markokr commented Feb 8, 2016

verify-ca/full require valid client certs, allow/require allow also connections without client cert.

But why should they allow invalid client certs? The fix you need is to stop sending client certs.

I'm not completely against changing that, but I'd like to have good reason for it.

Reason to keep current behaviour is to support use of HBA and ssl-mode=allow to have databases ssl+cert-auth, ssl+password-auth, and plain tcp in one config. This seems currently broken but I rather make that work, than support use of invalid client certs when not needed.

@markokr markokr self-assigned this Feb 8, 2016

@trourance

This comment has been minimized.

Show comment
Hide comment
@trourance

trourance Feb 11, 2016

Hi,

I would completely agree with you it that was the case. The truth,
however, is that the client certificate is valid !
We use exactly the same client cert to authenticate in stunnel and it is
fully trusted.
I don't understand why allow/require claims to not check the client
certificate at all, but after complains for invalid ca which is wrong !

2016-02-08 9:16 GMT+01:00 Marko Kreen notifications@github.com:

verify-ca/full require valid client certs, allow/require allow also
connections without client cert.

But why should they allow invalid client certs? The fix you need is to
stop sending client certs.

I'm not completely against changing that, but I'd like to have good reason
for it.

Reason to keep current behaviour is to support use of HBA and
ssl-mode=allow to have databases ssl+cert-auth, ssl+password-auth, and
plain tcp in one config. This seems currently broken but I rather make that
work, than support use of invalid client certs when not needed.


Reply to this email directly or view it on GitHub
#105 (comment)
.

Hi,

I would completely agree with you it that was the case. The truth,
however, is that the client certificate is valid !
We use exactly the same client cert to authenticate in stunnel and it is
fully trusted.
I don't understand why allow/require claims to not check the client
certificate at all, but after complains for invalid ca which is wrong !

2016-02-08 9:16 GMT+01:00 Marko Kreen notifications@github.com:

verify-ca/full require valid client certs, allow/require allow also
connections without client cert.

But why should they allow invalid client certs? The fix you need is to
stop sending client certs.

I'm not completely against changing that, but I'd like to have good reason
for it.

Reason to keep current behaviour is to support use of HBA and
ssl-mode=allow to have databases ssl+cert-auth, ssl+password-auth, and
plain tcp in one config. This seems currently broken but I rather make that
work, than support use of invalid client certs when not needed.


Reply to this email directly or view it on GitHub
#105 (comment)
.

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 11, 2016

Contributor

So the problem is that valid cert fails, but only when mode is not verify-*?

This is bug. But it might be fixed by commit 6eccac1, before that tls_config_verify_client_optional
was not called at all. Could you check if you can reproduce the problem with current master?

Contributor

markokr commented Feb 11, 2016

So the problem is that valid cert fails, but only when mode is not verify-*?

This is bug. But it might be fixed by commit 6eccac1, before that tls_config_verify_client_optional
was not called at all. Could you check if you can reproduce the problem with current master?

@trourance

This comment has been minimized.

Show comment
Hide comment
@trourance

trourance Feb 11, 2016

Hi Marko,

I have tried the code in master, but when I start pgbouncer, I have weird
errors:

2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_sslmode' =
'allow'
2016-02-11 17:03:02.547 14346 ERROR client_tls_sslmode: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_sslmode' =
'allow' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_key_file' =
'/usr/local/etc/xxxx.ch.key'
2016-02-11 17:03:02.547 14346 ERROR client_tls_key_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_key_file' =
'/usr/local/etc/xxxx.ch.key' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_cert_file'
= '/usr/local/etc/xxxx.ch.cer'
2016-02-11 17:03:02.547 14346 ERROR client_tls_cert_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_cert_file'
= '/usr/local/etc/xxxx.ch.cer' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_ca_file' =
'/usr/local/etc/xxxx.ch-ca.crt'
2016-02-11 17:03:02.547 14346 ERROR client_tls_ca_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_ca_file' =
'/usr/local/etc/xxxx.ch-ca.crt' ok:

Hi Marko,

I have tried the code in master, but when I start pgbouncer, I have weird
errors:

2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_sslmode' =
'allow'
2016-02-11 17:03:02.547 14346 ERROR client_tls_sslmode: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_sslmode' =
'allow' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_key_file' =
'/usr/local/etc/xxxx.ch.key'
2016-02-11 17:03:02.547 14346 ERROR client_tls_key_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_key_file' =
'/usr/local/etc/xxxx.ch.key' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_cert_file'
= '/usr/local/etc/xxxx.ch.cer'
2016-02-11 17:03:02.547 14346 ERROR client_tls_cert_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_cert_file'
= '/usr/local/etc/xxxx.ch.cer' ok:1
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_ca_file' =
'/usr/local/etc/xxxx.ch-ca.crt'
2016-02-11 17:03:02.547 14346 ERROR client_tls_ca_file: syntax error in
connstring
2016-02-11 17:03:02.547 14346 DEBUG parse_ini_file: 'client_tls_ca_file' =
'/usr/local/etc/xxxx.ch-ca.crt' ok:

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 11, 2016

Contributor

client_tls_key_file: syntax error in connstring

Weird. Could it be that you are using those settings in [databases] section? They dont work there.

Contributor

markokr commented Feb 11, 2016

client_tls_key_file: syntax error in connstring

Weird. Could it be that you are using those settings in [databases] section? They dont work there.

@trourance

This comment has been minimized.

Show comment
Hide comment
@trourance

trourance Feb 12, 2016

My mistake, sorry. The client TLS settings were in the wrong section.
The issue with invalid ca has been fixed.

However, when I set client_tls_sslmode=allow in the .ini file and a host record in hba file, pgbouncer still forces the connection with TLS. I have to explicitly set hostnossl to use plain TCP.
Is that a wished behaviour ?

My mistake, sorry. The client TLS settings were in the wrong section.
The issue with invalid ca has been fixed.

However, when I set client_tls_sslmode=allow in the .ini file and a host record in hba file, pgbouncer still forces the connection with TLS. I have to explicitly set hostnossl to use plain TCP.
Is that a wished behaviour ?

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 12, 2016

Contributor

It's libpq default behaviour - it SSL is available it uses it, unless you use sslmode=disable. But please test if that works.

Contributor

markokr commented Feb 12, 2016

It's libpq default behaviour - it SSL is available it uses it, unless you use sslmode=disable. But please test if that works.

@trourance

This comment has been minimized.

Show comment
Hide comment
@trourance

trourance Feb 12, 2016

Ok, thanks for the info. It works with sslmode=disable

Ok, thanks for the info. It works with sslmode=disable

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 12, 2016

Contributor

Thanks for the report.

Closing.

Contributor

markokr commented Feb 12, 2016

Thanks for the report.

Closing.

@markokr markokr closed this Feb 12, 2016

@brainsam brainsam referenced this issue in brainsam/pgbouncer Jul 19, 2017

Open

TLS server config seems to be ignored #7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment