On Fri, Jan 26, 2018 at 08:09:30AM -0500, Bruce Momjian wrote:
> On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote:
> > If you change the Makefile rule for generating the client CA to omit the
> > -extensions v3_ca option, then the first test will fail.
>
> Oh, very good!
Good poin
On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote:
> On 1/16/18 00:33, Michael Paquier wrote:
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
>
> The tests already cover this:
>
> # intermediat
On 1/16/18 00:33, Michael Paquier wrote:
> On top of that, src/test/ssl does not provide any kind of coverage for
> that. It would be an area of improvement for those tests.
The tests already cover this:
# intermediate client_ca.crt is provided by client, and isn't in
server's ssl_ca_file
switch_
On Thu, Jan 18, 2018 at 12:17:40PM +0900, Michael Paquier wrote:
> On Wed, Jan 17, 2018 at 09:00:17PM -0500, Bruce Momjian wrote:
> > On Thu, Jan 18, 2018 at 10:25:03AM +0900, Michael Paquier wrote:
> > > /etc/ssl/openssl.cnf is not available on macos or Windows, which can
> > > lead to a bit of co
On Wed, Jan 17, 2018 at 09:00:17PM -0500, Bruce Momjian wrote:
> On Thu, Jan 18, 2018 at 10:25:03AM +0900, Michael Paquier wrote:
> > /etc/ssl/openssl.cnf is not available on macos or Windows, which can
> > lead to a bit of confusion as I would imagine that people would
> > copy/paste such commands
On Thu, Jan 18, 2018 at 10:25:03AM +0900, Michael Paquier wrote:
> On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote:
> > Yes, I was not happy about that either. I was afraid that pound-sign
> > comments would look like root prompts but I just added them and they
> > look fine. Update
On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 05:20:00PM +0900, Michael Paquier wrote:
> > The succession of commands of commands for the intermediate certificates
> > is wild. Could it be possible to explain what each command means? Users
> > would not ge
On Wed, Jan 17, 2018 at 08:39:55AM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote:
> > > The succession of commands of commands for the intermediate certificates
> > > is wild. Could it be possible to explain what each command means? Users
> > > would no
On Wed, Jan 17, 2018 at 07:34:42AM -0500, Bruce Momjian wrote:
> > The succession of commands of commands for the intermediate certificates
> > is wild. Could it be possible to explain what each command means? Users
> > would not get lost this way.
>
> Yes, I was not happy about that either. I wa
On Wed, Jan 17, 2018 at 05:20:00PM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 10:23:44PM -0500, Bruce Momjian wrote:
> > On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> > > On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > > > On Tue, Jan 16, 2018 at
On Tue, Jan 16, 2018 at 10:23:44PM -0500, Bruce Momjian wrote:
> On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> > On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
>
> I ended up merging the "ch
On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > > This bit is important. I am happy that your patch mentions that
> > > intermediate certificate
On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > This bit is important. I am happy that your patch mentions that
> > intermediate certificates avoid the need to store root ones on the
> > client. Should the docs me
On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > My talk documents this behavior. In this talk:
> >
> > https://momjian.us/main/writings/pgsql/tls.pdf
> >
> > slide 47 and 49 use -extensions v3_ca. Slides 73 and 74 show that the
> > intermediate is not needed on the clie
On Mon, Jan 15, 2018 at 07:22:38PM -0500, Bruce Momjian wrote:
> I asked Stephen Frost and David Steele for details on the arcane art of
> SSL certificate creation. They showed me scripts they use and explained
> that they properly pass intermediate certificates to clients. The trick
> was to use
We have been confused by the behavior of intermediate certificates in
Postgres for many years. Some people put the intermediate certificates
only on the server and they were supplied to the client, while other
people couldn't get that to work. In our documentation we recommended
storing intermedi
16 matches
Mail list logo
