On 6/3/20 7:57 PM, Chapman Flack wrote: > > In an ideal world, I think libpq would be using this algorithm: > > I'm looking at the server's certificate, s. > Is s unexpired and in the trust file? If so, SUCCEED. > > otherwise, loop: > get issuer certificate i from s (if s is self-signed, FAIL). > does i have CA:TRUE and Certificate Sign bits? If not, FAIL. > does i's Domain Constraint allow it to sign s? If not, FAIL. > is i unexpired, or has s a Signed Certificate Timestamp made > while i was unexpired? If not, FAIL. > is i in the trust file? If so, SUCCEED. > s := i, continue. > > (I left out steps like verify signature, check revocation, etc.) > > What it seems to be doing, though, is just: > > I'm looking at s > Follow chain all the way to a self-signed cert > is that in the file? > > which seems too simplistic. >
Do we actually do any of this sort of thing? I confess my impression was this is all handled by the openssl libraries, we just hand over the certs and let openssl do its thing. Am I misinformed about that? cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
