| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | Ian Pilcher <arequipeno(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org, tgl(at)sss(dot)pgh(dot)pa(dot)us, stellr(at)vt(dot)edu, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-03-18 12:55:18 |
| Message-ID: | 20130318125517.GU4361@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Craig, all,
* Craig Ringer (craig(at)2ndquadrant(dot)com) wrote:
> PROBLEM VERIFIED
Let me just say "ugh". I've long wondered why we have things set up in
such a way that the whole chain has to be in one file, but it didn't
occur to me that it'd actually end up causing this issue. In some ways,
I really wonder about this being OpenSSL's fault as much as ours, but I
doubt they'd see it that way. :)
> What we need to happen instead is for root.crt to contain only the
> trusted certificates and have a *separate* file or directory for
> intermediate certificates that OpenSSL can look up to get the
> intermediates it needs to validate client certs, like
> `ssl_ca_chain_file` or `ssl_ca_chain_path` if we want to support
> OpenSSL's hashed certificate directories.
Makes sense to me. I'm not particular about the names, but isn't this
set of CAs generally considered intermediary? Eg: 'trusted', '
intermediate', etc?
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2013-03-18 13:26:05 | Re: C++Builder table exist |
| Previous Message | Greg Jaskiewicz | 2013-03-18 11:55:30 | Re: Addled index |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2013-03-18 14:01:24 | Re: Enabling Checksums |
| Previous Message | robins | 2013-03-18 11:46:31 | Re: Patch to add regression tests for SCHEMA |