> > I think problem is as follows, server sends to client certificates it > can accept (as accepted parents), without intermediate CA, Java sees > only top-level cert and tries to find client cert issued directly by > top-level CA, I may only assume, that without intermediate CA you will > be able to auth against any cert signed by top-level CA (this may cause > small security hole as well). > > I think this is not needed, but I suggest You too check cert "policies" > with v3 extensions. > > Java is really pedantic, about security. > > Regards, > Radek >
The problem is that I believe that this configuration could be better but I cannot put part of CA chain in root.crt as it was advised. For Java it all depends on current SSL Factory implementation, I was using the default one. If I wrote my own implementation I would probably be able to have common with libpq, requiring the least info, configuration (but actually I would prefer to avoid it). Kind regards, Joanna -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
