| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | colin(dot)anderson333+pgsql(at)gmail(dot)com |
| Subject: | BUG #15137: X509 auth breaks in CA has extendedKeyUsage |
| Date: | 2018-03-30 13:11:29 |
| Message-ID: | 152241548992.6324.5143838178015534589@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 15137
Logged by: cocowalla
Email address: colin(dot)anderson333+pgsql(at)gmail(dot)com
PostgreSQL version: 10.2
Operating system: Debian
Description:
I've setup my own X509 CA for testing. If the `extendedKeyUsage` flags is
set to a custom OID in the CA certificate, Postgres is unable to verify any
client certificates.
I see this in the logs, and clients cannot connect:
Could not accept SSL connection: certificate verify failed
Sample openssl config snippet:
[ ca_extensions ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign,cRLSign,digitalSignature
extendedKeyUsage = 1.3.6.1.4.1.12345.1.2
And the command used to generate the CA:
openssl req -new -x509 -sha256 -subj
"/O=Acme/OU=Acme/emailAddress=support(at)acme(dot)com/CN=MyCA" -keyout "CA.key"
-out "CA.crt" -days 7300 -newkey rsa:2048 -extensions ca_extensions
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2018-03-30 14:00:29 | BUG #15138: pg_ctl status doesn't find running service |
| Previous Message | PG Bug reporting form | 2018-03-29 20:42:00 | BUG #15136: gin index not used when using column with a where clause |