From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Trust intermediate CA for client certificates |
Date: | 2013-12-02 20:46:26 |
Message-ID: | 20131202204626.GJ5274@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
On Mon, Dec 2, 2013 at 03:07:48PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > On Mon, Dec 2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
> >> I see that you removed the sentence
> >> The root
> >> certificate should be included in every case where
> >> <filename>postgresql.crt</> contains more than one certificate.
>
> > I don't fully understand the issues but the discussion seens to indicate
> > this. Am I missing something? Should I run some tests?
>
> My recollection is that if the client cert file includes *only* the
> client's own cert, the server will puzzle out how that connects to the
> certs it has. However, if the client cert file contains more than one
> cert (ie, client's cert and some intermediate-CA cert), the server
> will *not* try to associate the intermediate cert with some root cert it
> has. It wants the chain the client sends to terminate in a cert that it
> has listed directly in root.crt.
OK, so you are saying if the client only supplies one cert, it will try
to find a signing cert in root.crt, but if multiple certs are supplied,
you have to get a cert match (not a signing). I can adjust the docs for
that.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2013-12-02 20:57:45 | Re: Trust intermediate CA for client certificates |
Previous Message | Tom Lane | 2013-12-02 20:44:18 | Re: Trust intermediate CA for client certificates |
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2013-12-02 20:57:45 | Re: Trust intermediate CA for client certificates |
Previous Message | Stephen Frost | 2013-12-02 20:44:46 | Re: Extension Templates S03E11 |