Quick Links

Re: Trust intermediate CA for client certificates

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Bruce Momjian <bruce(at)momjian(dot)us>
Cc:	Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Trust intermediate CA for client certificates
Date:	2013-12-02 21:17:57
Message-ID:	26465.1386019077@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general pgsql-hackers

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Sorry, I should have said:

> Tom is saying that for his openssl version, a client that passed
> an intermediate certificate had to supply a certificate _matching_
> something in the remote root.crt, not just signed by it.

> At least I think that was the issue, rather than requiring the client to
> supply a "root" certificate, meaning the client can supply an
> intermediate or root certificicate, as long as it appears in the
> root.crt file on the remote end.

As far as the server is concerned, anything listed in its root.crt *is* a
trusted root CA. Doesn't matter if it's a child of some other CA.

The issue is that the client's cert has to be linked to some element of
root.crt somehow. In principle you'd think that if the client provides
an intermediate CA cert, the server should be able to match that to
whichever root.crt member signed it, but that wasn't what I saw
happening. It'd be good for someone who uses SSL more than I do to
replicate the experiment, though. It's not impossible that I screwed up.

regards, tom lane

In response to

Re: Trust intermediate CA for client certificates at 2013-12-02 21:12:17 from Bruce Momjian

Responses

Re: Trust intermediate CA for client certificates at 2013-12-02 21:23:54 from Andrew Dunstan
Re: Trust intermediate CA for client certificates at 2013-12-02 21:25:28 from Bruce Momjian
Re: Trust intermediate CA for client certificates at 2013-12-02 21:29:57 from Stephen Frost
Re: Trust intermediate CA for client certificates at 2013-12-02 22:35:06 from Andrew Dunstan

Browse pgsql-general by date

	From	Date	Subject
Next Message	Ian Pilcher	2013-12-02 21:19:43	Re: Trust intermediate CA for client certificates
Previous Message	Stephen Frost	2013-12-02 21:15:05	Re: Trust intermediate CA for client certificates

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Ian Pilcher	2013-12-02 21:19:43	Re: Trust intermediate CA for client certificates
Previous Message	Stephen Frost	2013-12-02 21:15:05	Re: Trust intermediate CA for client certificates