Thread: Certificate, login & php question ?
Hi,
I have setup an apache server with SSL.
I create a CA, serker.key, server.crt.
I create a user.key and user.cert.
Now the apache server accept only the correct certificate for login on a given directory.
I have a PHP script that query the database using the HTTP login/password as PostgreSQL user/password.
I plan to add the same SSL setup to PostreSQL.
1) Is it possible to use the SSL authentification done by apache with PostgreSQL ?
2) How the DN of the certificate is match against an PostgreSQL role ?
Any help is welcomed.
Pailloncy Jean-Gerard
Attachment
On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote: > I have setup an apache server with SSL. > I create a CA, serker.key, server.crt. > I create a user.key and user.cert. > Now the apache server accept only the correct certificate for login > on a given directory. > > I have a PHP script that query the database using the HTTP login/ > password as PostgreSQL user/password. > > I plan to add the same SSL setup to PostreSQL. > 1) Is it possible to use the SSL authentification done by apache with > PostgreSQL ? I don't think so. If the PHP script makes an SSL connection to PostgreSQL and PostgreSQL requests a client certificate, then the PHP script will need access to a private key to respond correctly. The HTTP client's private key won't be available to Apache/PHP (at least not via the HTTP connection) so the script will need to use a private key of its own. I'm not aware of a way for Apache to proxy PostgreSQL's SSL negotiation with the PHP script back to the HTTP client. > 2) How the DN of the certificate is match against an PostgreSQL role ? As far as I can tell no such matching is done. I can make SSL connections to PostgreSQL as any user with the same certificate, and I don't see anything in the documentation that allows that to be configured. If I've overlooked something then somebody please point it out. -- Michael Fuhr
On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote: > On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote: > > 1) Is it possible to use the SSL authentification done by apache with > > PostgreSQL ? > > I'm not aware of a way for Apache to proxy PostgreSQL's SSL > negotiation with the PHP script back to the HTTP client. If such a capability existed then it could arguably be considered a flaw in SSL because it would allow a server to impersonate one of its clients to another server or to hijack a client's secure connection with another server. Secure protocols are designed to prevent such attacks. -- Michael Fuhr
Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :
The point is to USE AGAIN the authentification done by Apache with PostgreSQL not DO AGAIN the authentification.On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote:On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote:1) Is it possible to use the SSL authentification done by apache withPostgreSQL ?I'm not aware of a way for Apache to proxy PostgreSQL's SSLnegotiation with the PHP script back to the HTTP client.If such a capability existed then it could arguably be considereda flaw in SSL because it would allow a server to impersonate oneof its clients to another server or to hijack a client's secureconnection with another server. Secure protocols are designed toprevent such attacks.
Googling around, I found:
mod_auth_krb with "AuthType KerberosV5SaveCredentials"
The auth is done by mod_auth_krb and mod_perl is able to use the same ticket for PostgreSQL. It is in the doc of PG.
I found a page that presents phpkrb5 that may do the same things for mod_php
The project is hosted on http://savannah.nongnu.org/projects/phpkrb5/
but is not really up to date (3 years old, and only for php4)
In fact, things may look simple after reading http://archives.postgresql.org/pgsql-php/2004-08/msg00031.php
I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)All it takes it this line your PHP script:putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");Then pg_connect works :)
but it is not reliable (http://archives.postgresql.org/pgsql-php/2004-08/msg00033.php).
Sorry for the noise, but my question seems to me less and less PostgreSQL centric.
On heavy solution may be a SSO with kerberos. Many new questions then...
If someone has already done that, I would be glad to have some good URL.
Pailloncy Jean-Gerard
Attachment
On Mon, Sep 11, 2006 at 10:44:18AM +0200, Jean-Gerard Pailloncy wrote: > Le 11 sept. 06 à 05:57, Michael Fuhr a écrit : > > If such a capability existed then it could arguably be considered > > a flaw in SSL because it would allow a server to impersonate one > > of its clients to another server or to hijack a client's secure > > connection with another server. Secure protocols are designed to > > prevent such attacks. > > The point is to USE AGAIN the authentification done by Apache with > PostgreSQL not DO AGAIN the authentification. To "use again" the client's authentication you'd have to "do again" the authentication. If the PHP script makes an SSL connection to PostgreSQL then that connection is independent of the HTTP client's SSL connection with the web server. If the server in the new connection (PostgreSQL) sends an SSL CertificateRequest message then the client (the PHP script) needs access to a certificate and the corresponding private key to reply with Certificate and CertificateVerify messages. The HTTP client's certificate would be available but that client's private key would not, so the PHP script would have no way to build a valid CertificateVerify message. > Googling around, I found: > mod_auth_krb with "AuthType KerberosV5SaveCredentials" > The auth is done by mod_auth_krb and mod_perl is able to use the same > ticket for PostgreSQL. It is in the doc of PG. You didn't mention Kerberos before; you said you wanted to reuse the client's SSL authentication. Kerberos works differently than SSL; I'd have to research the links you mentioned to see if reusing the client's credientials would indeed be possible using Kerberos. -- Michael Fuhr