| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
| Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Date: | 2010-05-26 02:16:34 |
| Message-ID: | 3293.1274840194@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> You are confusing these two unrelated phases of SSL negotiation.
No, I don't think so.
> For the complaint in #5245 to be addressed, the server must send the
> full certificate chain for the certificate the server is using to
> identify its self as pgserver.domain.com to the client during the
> ServerHello phase of SSL negotiation. If correctly configured, the
> server already does this, and #5245 really just needs some documentation
> improvements.
As best I can tell, the server already does that, if correctly
configured, and the configuration described in #5245 is correct.
Therefore, it's failing because of something else. What the reporter
of #5245 *says* the bug is is not necessarily what it *actually* is.
What I believe his *actual* problem is is that Java is unable to verify
the cert chain without a name for (at least) the root cert. That makes
it the same as #5468, or at least it has the same fix.
I have found an additional bug here, but it's in libpq not the server,
and thus not responsible for either your bug report or his. I'll start
a new thread about that in a minute.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2010-05-26 02:20:17 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Previous Message | Craig Ringer | 2010-05-26 02:10:25 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |