Quick Links

Re: libpq should not be using SSL_CTX_set_client_cert_cb

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu>
Cc:	"pgsql-hackers(at)postgreSQL(dot)org" <pgsql-hackers(at)postgreSQL(dot)org>, Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>, Magnus Hagander <magnus(at)hagander(dot)net>
Subject:	Re: libpq should not be using SSL_CTX_set_client_cert_cb
Date:	2010-05-26 14:54:42
Message-ID:	12363.1274885682@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> I am guessing the problem is that validating the presented chain is hard?

No, the problem is that the current libpq code fails to present the
chain at all. It will only load and send the first cert in the
postgresql.crt file. This works only when the client's cert is signed
directly by one of the CAs trusted by the server.

regards, tom lane

In response to

Re: libpq should not be using SSL_CTX_set_client_cert_cb at 2010-05-26 14:48:47 from Garick Hamlin

Responses

Re: libpq should not be using SSL_CTX_set_client_cert_cb at 2010-05-26 15:52:38 from Garick Hamlin

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	alvherre	2010-05-26 15:01:10	Re: mapping object names to role IDs
Previous Message	Garick Hamlin	2010-05-26 14:48:47	Re: libpq should not be using SSL_CTX_set_client_cert_cb