| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Ian Pilcher <arequipeno(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-12-02 21:38:07 |
| Message-ID: | 20131202213807.GQ5274@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
On Mon, Dec 2, 2013 at 03:19:43PM -0600, Ian Pilcher wrote:
> On 12/02/2013 02:32 PM, Tom Lane wrote:
> > Ian Pilcher <arequipeno(at)gmail(dot)com> writes:
> >> I'm not sure what you're asking. The desired behavior (IMO) would be to
> >> accept client certificates signed by some intermediate CAs without
> >> accepting any client certificate that can present a chain back to the
> >> trusted root. This is currently not possible, mainly due to the way
> >> that OpenSSL works.
> >
> > That notion seems pretty bogus to me. If you don't trust the root CA to
> > not hand out child CA certs to untrustworthy people, then you don't really
> > trust the root CA, do you? You should just list the certs of the
> > intermediate CAs you *do* trust in the server's root.crt.
>
> Assume you have a corporate policy that says that all SSL certificates
> must be signed for the corporate root CA, which is an intermediate CA
> signed by Verisign. Presumably this means that you (or someone in your
> organization) trusts Verisign to exercise some degree of care in issuing
> their certificates, but that's a long way from wanting to allow every
> Verisign-signed (or "rooted") certificate to connect to your database
> server.
Yes, this is why we recommend self-signed certificates for Postgres. In
this case, what value is there in using an intermediate certificate
who's root is Verisign?
> BTW, you can't just "list the certs of the intermediate CAs you do
> trust"; you have to put the root CA certificate into root.crt in order
> for OpenSSL to build a complete chain, and this means trusting *every*
> client certificate that can present a chain back to that root. That is
> the problem.
>
> > In any case, the idea that this is somehow OpenSSL's fault and another
> > implementation of the same protocol wouldn't have the same issue sounds
> > pretty silly.
>
> Actually other implementations do this. In fact, a flag was added to
> OpenSSL fairly recently to allow validating a chain only up to an
> intermediate CA for this very reason.
Interesting.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2013-12-02 21:49:25 | Re: Trust intermediate CA for client certificates |
| Previous Message | Stephen Frost | 2013-12-02 21:29:57 | Re: Trust intermediate CA for client certificates |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2013-12-02 21:42:07 | Re: Improvement of pg_stat_statement usage about buffer hit ratio |
| Previous Message | Dimitri Fontaine | 2013-12-02 21:34:02 | Re: Extension Templates S03E11 |