Skip site navigation (1) Skip section navigation (2)

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
Cc: pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date: 2010-05-26 02:16:34
Message-ID: 3293.1274840194@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> You are confusing these two unrelated phases of SSL negotiation.

No, I don't think so.

> For the complaint in #5245 to be addressed, the server must send the
> full certificate chain for the certificate the server is using to
> identify its self as pgserver.domain.com to the client during the
> ServerHello phase of SSL negotiation. If correctly configured, the
> server already does this, and #5245 really just needs some documentation
> improvements.

As best I can tell, the server already does that, if correctly
configured, and the configuration described in #5245 is correct.
Therefore, it's failing because of something else.  What the reporter
of #5245 *says* the bug is is not necessarily what it *actually* is.
What I believe his *actual* problem is is that Java is unable to verify
the cert chain without a name for (at least) the root cert.  That makes
it the same as #5468, or at least it has the same fix.

I have found an additional bug here, but it's in libpq not the server,
and thus not responsible for either your bug report or his.  I'll start
a new thread about that in a minute.

			regards, tom lane

In response to

Responses

pgsql-bugs by date

Next:From: Craig RingerDate: 2010-05-26 02:20:17
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Previous:From: Craig RingerDate: 2010-05-26 02:10:25
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group