Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

On 26/05/10 10:25, Stephen Frost wrote:

>>> In any case I'm thinking that we need to document how to set up
>>> configurations with chains of CA certs.
>>
>> Yes, and patch the server to send the list of trusted CAs to the client
>> during client certificate negotiaton to fix #5468 .
>
> Agreed.

A quick update on my own testing:

I've found that the Sun PKCS#12 keystore provider behaves just like
OpenSSL. It unconditionally sends the one and only client cert it has to
the server - after all, there's only one to choose from. This is a royal
pain to use, though, and requires the app's security to be configured
from the command line at each launch, or the app to override all user
settings and thus disable use of PKCS#11 hardware keys, etc.

The issue only arises if there is a keystore in use where the client may
have more than one client certificate/key availible to it and must pick
which one to send to the server. This is true of the default Sun JKS
keystore format, and for PKCS#11 stores like hardware crypto keys.

My self-contained test case will demonstrate both PKCS#12 file and JKS
keystore cases. Give me a bit to put it all together and you'll have
something you can play with, watch chat on the network, etc.

--
Craig Ringer

Tech-related writing: http://soapyfrogs.blogspot.com/