| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Date: | 2010-05-27 02:05:03 |
| Message-ID: | 6352.1274925903@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> See the self-contained test case here:
> http://www.postnewspapers.com.au/~craig/testcase.zip
Thanks for posting that; it makes it a lot easier to experiment with the
behavior of the Java software stack.
I've applied your patch along with some hacking on libpq. As far as
I can tell, things now work nicely with chained certificates on either
end, but it could definitely do with more testing if you have time to
poke at CVS HEAD.
I'm still a bit mystified about bug #5245 though. I can see two
possible explanations for that one:
1. The reporter was wrong about which server version he was using;
pre-8.4 servers would in fact not send the whole cert chain, cf
http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php
2. The reporter was wrong about the actual cause of his problem, and
despite his description, the true reason his Java client was failing
was the lack of SSL_CTX_set_client_CA_list().
Anyway, as far as I can tell the case described there works now.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2010-05-27 02:55:09 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Previous Message | Mark Kirkwood | 2010-05-27 01:37:50 | Re: xml data type implications of no = |