Skip site navigation (1) Skip section navigation (2)

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date: 2010-05-27 02:05:03
Message-ID: 6352.1274925903@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> See the self-contained test case here:
>   http://www.postnewspapers.com.au/~craig/testcase.zip

Thanks for posting that; it makes it a lot easier to experiment with the
behavior of the Java software stack.

I've applied your patch along with some hacking on libpq.  As far as
I can tell, things now work nicely with chained certificates on either
end, but it could definitely do with more testing if you have time to
poke at CVS HEAD.

I'm still a bit mystified about bug #5245 though.  I can see two
possible explanations for that one:

1. The reporter was wrong about which server version he was using;
pre-8.4 servers would in fact not send the whole cert chain, cf
http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php

2. The reporter was wrong about the actual cause of his problem, and
despite his description, the true reason his Java client was failing
was the lack of SSL_CTX_set_client_CA_list().

Anyway, as far as I can tell the case described there works now.

			regards, tom lane

In response to

Responses

pgsql-bugs by date

Next:From: Craig RingerDate: 2010-05-27 02:55:09
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Previous:From: Mark KirkwoodDate: 2010-05-27 01:37:50
Subject: Re: xml data type implications of no =

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group