On Mon, Dec 2, 2013 at 12:44:08PM -0500, Bruce Momjian wrote: > On Sat, Nov 30, 2013 at 12:10:19PM -0500, Bruce Momjian wrote: > > > Drat, you're quite right. I've always included the full certificate > > > chain in client certs but it's in no way required. > > > > > > I guess that pretty much means maintaining the status quo and documenting > > > it better. > > > > I have developed the attached patch to document this behavior. My goals > > were: > > > > * clarify that a cert can match a remote intermediate or root certificate > > * clarify that the client cert must match a server root.crt > > * clarify that the server cert much match a client root.crt > > * clarify that the root certificate does not have to be specified > > in the client or server cert as long as the remote end has the chain > > to the root > > > > Does it meet these goals? Is it correct? > > I have updated the patch, attached, to be clearer about the requirement > that intermediate certificates need a chain to root certificates.
Patch applied to head. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
