Skip site navigation (1) Skip section navigation (2)

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date: 2010-05-26 05:30:55
Message-ID: 4BFCB20F.2030308@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-bugs
On 26/05/10 11:01, Tom Lane wrote:
> In principle, you could have the server and clients using totally
> nonoverlapping sets of trusted CAs (nonoverlapping root.crt lists),
> as long as each can chain its identity up to a CA the other trusts.
> So it's all nice and symmetrical.

... and it's exactly this cases that confuses keystore based clients
that may have multiple certs installed.

See the self-contained test case here:

  http://www.postnewspapers.com.au/~craig/testcase.zip

... which includes a Pg datadir and configuration, the certificate
authority, the certificates, a detailed log of test case setup, the test
programs, logs of test output along with explanation of those logs, etc.

-- 
Craig Ringer

Tech-related writing: http://soapyfrogs.blogspot.com/

In response to

Responses

pgsql-bugs by date

Next:From: Daniele VarrazzoDate: 2010-05-26 11:58:15
Subject: Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation
Previous:From: Mark KirkwoodDate: 2010-05-26 04:14:02
Subject: Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group