Quick Links

Re: Trust intermediate CA for client certificates

From:	Craig Ringer <craig(at)2ndquadrant(dot)com>
To:	Stephen Frost <sfrost(at)snowman(dot)net>
Cc:	Ian Pilcher <arequipeno(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Trust intermediate CA for client certificates
Date:	2013-03-21 05:42:55
Message-ID:	514A9DDF.3050702@2ndquadrant.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general pgsql-hackers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/19/2013 09:46 PM, Stephen Frost wrote:
> * Craig Ringer (craig(at)2ndquadrant(dot)com) wrote:
>> As far as I'm concerned that's the immediate problem fixed. It may be
>> worth adding a warning on startup if we find non-self-signed certs in
>> root.crt too, something like 'WARNING: Intermediate certificate found in
>> root.crt. This does not do what you expect and your configuration may be
>> insecure; see the Client Certificates chapter in the documentation.'
>
> I'm not sure that I follow this logic, unless you're proposing that
> intermediate CAs only be allowed to be picked up from system-wide
> configuration? That strikes me as overly constrained as I imagine there
> are valid configurations today which have intermediate CAs listed, with
> the intention that they be available for PG to build the chain from a
> client cert that is presented back up to the root. Now, the client
> might be able to provide such an intermediate CA cert too (one of the
> fun things about SSL is that the client can send any 'missing' certs to
> the server, if it has them available..), but it also might not.
>

Drat, you're quite right. I've always included the full certificate
chain in client certs but it's in no way required.

I guess that pretty much means mainaining the status quo and documenting
it better.

- --
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRSp3fAAoJELBXNkqjr+S2+JYH+wUo2mCMB2n3/mXo24l0rO5+
mxS6d9uJNIZZErZX2I/NfY59kLX1ypUAeGhQnCSOZuxig6Xd91nXzRdkaQF/+WHa
9hEAXbOtl7bMgj8cEIfloQlSU94VXamH53i5YL5ZVLqkQG/7uknY05NbJs3IGM5g
ALrEgo3XOC8JyUz21hZzaQOb2vbdSh0F0O17EoJz1fLY6l5ScFnLWihKYurp5Oq0
em1bsN0GKckmSa7a9mJ37Hvowi92epbtF4XR1DyrQGOHQSCLq0NnCthA5MtdPXN0
+BJQWZfx0qcRcrHMILkFa0Uu7Bc9Ao0q06l55DNSyYXx1FWN0cBArGpXcoPb8Zs=
=BAYd
-----END PGP SIGNATURE-----

In response to

Re: Trust intermediate CA for client certificates at 2013-03-19 13:46:16 from Stephen Frost

Responses

Re: Trust intermediate CA for client certificates at 2013-11-30 17:10:19 from Bruce Momjian

Browse pgsql-general by date

	From	Date	Subject
Next Message	Daniel Cristian Cruz	2013-03-21 11:41:25	Re: Bad plan on a huge table query
Previous Message	Paul Jungwirth	2013-03-21 04:22:30	Re: How to join table to itself N times?

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Pavel Stehule	2013-03-21 06:08:16	Re: Single-argument variant for array_length and friends?
Previous Message	Tom Lane	2013-03-21 04:01:18	Re: Single-argument variant for array_length and friends?