On 12/02/2013 04:17 PM, Tom Lane wrote:
Bruce Momjian <br...@momjian.us> writes:
Sorry, I should have said:
Tom is saying that for his openssl version, a client that passed
an intermediate certificate had to supply a certificate _matching_
something in the remote root.crt, not just signed by it.
At least I think that was the issue, rather than requiring the client to
supply a "root" certificate, meaning the client can supply an
intermediate or root certificicate, as long as it appears in the
root.crt file on the remote end.
As far as the server is concerned, anything listed in its root.crt *is* a
trusted root CA. Doesn't matter if it's a child of some other CA.
The issue is that the client's cert has to be linked to some element of
root.crt somehow. In principle you'd think that if the client provides
an intermediate CA cert, the server should be able to match that to
whichever root.crt member signed it, but that wasn't what I saw
happening. It'd be good for someone who uses SSL more than I do to
replicate the experiment, though. It's not impossible that I screwed up.
I have a test script I developed when I had some difficulties with
intermediate CAs a while back. I'll see if I can clean it up and test
this out.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
