From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
Date: | 2010-05-25 15:48:44 |
Message-ID: | 23787.1274802524@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> Bug 5245 is not the same issue. They're talking about the server not
> sending the full certificate chain for the cert that identifies the
> server (server.crt). It's nothing to do with client certificates.
> Without the full chain, the client can't verify the server unless it
> happens to already have the intermediate certs between the server's cert
> and the trusted root that signed it installed locally. I haven't
> encountered #5245 myself, but will test it shortly to verify. It'd
> certainly count as a significant bug, as it would make it impossible to
> use indirect trust to verify a server (as is the case when a corporate
> CA signed by a "big name" CA is in use).
BTW, does anyone know exactly how to fix that? I'm looking at a related
request internal to Red Hat right now.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2010-05-25 16:29:11 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
Previous Message | Dave Page | 2010-05-25 15:36:40 | Re: BUG #5471: Postgres License Url is Misspelled |