| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-12-03 16:18:25 |
| Message-ID: | 20131203161825.GB27105@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
On Mon, Dec 2, 2013 at 05:35:06PM -0500, Andrew Dunstan wrote:
>
> On 12/02/2013 04:17 PM, Tom Lane wrote:
> >Bruce Momjian <bruce(at)momjian(dot)us> writes:
> >>Sorry, I should have said:
> >> Tom is saying that for his openssl version, a client that passed
> >> an intermediate certificate had to supply a certificate _matching_
> >> something in the remote root.crt, not just signed by it.
> >>At least I think that was the issue, rather than requiring the client to
> >>supply a "root" certificate, meaning the client can supply an
> >>intermediate or root certificicate, as long as it appears in the
> >>root.crt file on the remote end.
> >As far as the server is concerned, anything listed in its root.crt *is* a
> >trusted root CA. Doesn't matter if it's a child of some other CA.
>
>
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.
>
> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.
>
> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.
>
> OpenSSL version 1.0.0j was used in these tests, on a Fedora 16 box.
OK, that behavior matches the behavior Ian observed and also matches my
most recent doc patch. I know Tom saw something different, but unless
he can reproduce it, I am thinking my doc patch is our best solution.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2013-12-03 19:16:32 | Re: unnest on multi-dimensional arrays |
| Previous Message | Dorian Hoxha | 2013-12-03 16:03:46 | Re: Complex sql, limit-for-each group by, arrays, updates |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Metin Doslu | 2013-12-03 16:24:55 | Re: Parallel Select query performance and shared buffers |
| Previous Message | Dimitri Fontaine | 2013-12-03 16:18:07 | Re: Extension Templates S03E11 |