On 26/05/10 11:01, Tom Lane wrote: > In principle, you could have the server and clients using totally > nonoverlapping sets of trusted CAs (nonoverlapping root.crt lists), > as long as each can chain its identity up to a CA the other trusts. > So it's all nice and symmetrical.
... and it's exactly this cases that confuses keystore based clients that may have multiple certs installed. See the self-contained test case here: http://www.postnewspapers.com.au/~craig/testcase.zip ... which includes a Pg datadir and configuration, the certificate authority, the certificates, a detailed log of test case setup, the test programs, logs of test output along with explanation of those logs, etc. -- Craig Ringer Tech-related writing: http://soapyfrogs.blogspot.com/ -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
