On 26/05/10 10:25, Stephen Frost wrote: >>> In any case I'm thinking that we need to document how to set up >>> configurations with chains of CA certs. >> >> Yes, and patch the server to send the list of trusted CAs to the client >> during client certificate negotiaton to fix #5468 . > > Agreed.
A quick update on my own testing: I've found that the Sun PKCS#12 keystore provider behaves just like OpenSSL. It unconditionally sends the one and only client cert it has to the server - after all, there's only one to choose from. This is a royal pain to use, though, and requires the app's security to be configured from the command line at each launch, or the app to override all user settings and thus disable use of PKCS#11 hardware keys, etc. The issue only arises if there is a keystore in use where the client may have more than one client certificate/key availible to it and must pick which one to send to the server. This is true of the default Sun JKS keystore format, and for PKCS#11 stores like hardware crypto keys. My self-contained test case will demonstrate both PKCS#12 file and JKS keystore cases. Give me a bit to put it all together and you'll have something you can play with, watch chat on the network, etc. -- Craig Ringer Tech-related writing: http://soapyfrogs.blogspot.com/ -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
