| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Date: | 2010-05-25 23:26:11 |
| Message-ID: | 4BFC5C93.40406@postnewspapers.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On 25/05/10 23:48, Tom Lane wrote:
> Craig Ringer<craig(at)postnewspapers(dot)com(dot)au> writes:
>> Bug 5245 is not the same issue. They're talking about the server not
>> sending the full certificate chain for the cert that identifies the
>> server (server.crt). It's nothing to do with client certificates.
>> Without the full chain, the client can't verify the server unless it
>> happens to already have the intermediate certs between the server's cert
>> and the trusted root that signed it installed locally. I haven't
>> encountered #5245 myself, but will test it shortly to verify. It'd
>> certainly count as a significant bug, as it would make it impossible to
>> use indirect trust to verify a server (as is the case when a corporate
>> CA signed by a "big name" CA is in use).
>
> BTW, does anyone know exactly how to fix that? I'm looking at a related
> request internal to Red Hat right now.
The first thing to test is whether concatenating the root cert onto the
server cert in 'server.crt' does the trick. Though, really, OpenSSL
should do the right thing automatically so long as it has the CA
certificate loaded.
Certainly my (patched) server is doing the right thing and sending the
certificate. I'm 99% sure it did so before patching, though, just from
having root.crt installed. However, this only works because the CA I
want to validate clients against happens to be the same CA that signed
my server's certificate, which is frequently *not* the case.
I do *not* have the CA cert concatenated onto server.crt. I'll have to
see if that works, because that's how it's usually done with OpenSSL.
BTW, the little Java app I posted for client certifiate testing will let
you get detailed tracing of a Pg SSL connection. Just run it with the
default sslsocketfactory and no client cert:
java -jar PgClientCertDemo.jar default '' '' '' \
jdbc:postgresql://YOURSERVER/YOURDATABASE?ssl=true&user=blah&password=blah
and you'll get detailed trace information (possibly followed by an
exception if it couldn't negotiate for some reason). Search for
'ServerHello' to find the start of the area of interest in the
negotiation. Search for 'chain [' to find the server certificate chain
entries.
--
Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-05-25 23:37:18 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Previous Message | Tom Lane | 2010-05-25 22:24:20 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |