Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date: 2010-05-25 23:41:46
Message-ID: 4BFC603A.8050201@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On 26/05/10 07:37, Tom Lane wrote:
> Craig Ringer<craig(at)postnewspapers(dot)com(dot)au> writes:
>> I do *not* have the CA cert concatenated onto server.crt. I'll have to
>> see if that works, because that's how it's usually done with OpenSSL.
>
> Hmm. That case doesn't work for me; what does work is including the
> intermediate cert in the server's root.crt.

Sorry, that was my poor choice of words.

s/the CA cert/the full certificate chain/g

It is the intermediate certs that the client may not have that are the
important ones. 'the CA' I was referring to was the _intermediate_ CA,
eg the company sub-CA; I just needed to be (a lot) clearer about it.

--
Craig Ringer

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2010-05-26 00:13:15 Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Previous Message Tom Lane 2010-05-25 23:37:18 Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request