| From: | Ray Stell <stellr(at)vt(dot)edu> |
|---|---|
| To: | Ian Pilcher <arequipeno(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-03-07 18:42:36 |
| Message-ID: | 2D1F02BF-55A0-40BC-96F2-D2D8EE4B52C7@vt.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
On Mar 7, 2013, at 9:37 AM, Ian Pilcher wrote:
> On 03/07/2013 08:28 AM, Tom Lane wrote:
>> Maybe I'm missing something, but I don't see why you'd expect a
>> different result. That leaves you with no way to validate the server's
>> own certificate.
>
> I don't follow. Why would the server need to validate it's own
> certificate?
What Tom said works for me. Here is a page that gives an example and I think it demonstrates that the root CA does not allow everybody in the gate, the chain has to be in place:
http://stackoverflow.com/questions/1456034/trouble-understanding-ssl-certificate-chain-verification
You can use the "openssl verify" command to test that the root is not wide open on it's own.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Little, Douglas | 2013-03-07 19:09:21 | Re: table dump function |
| Previous Message | Adrian Klaver | 2013-03-07 18:18:46 | Re: table dump function |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | anarazel@anarazel.de | 2013-03-07 19:00:08 | Re: REFRESH MATERIALIZED VIEW locklevel |
| Previous Message | Andres Freund | 2013-03-07 18:23:55 | Re: REFRESH MATERIALIZED VIEW locklevel |