Re: Trust intermediate CA for client certificates

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Trust intermediate CA for client certificates
Date: 2013-12-02 20:01:25
Message-ID: 529CE715.4090407@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers


On 12/02/2013 02:45 PM, Bruce Momjian wrote:
> On Mon, Dec 2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
>> Bruce Momjian <bruce(at)momjian(dot)us> writes:
>>> I have updated the patch, attached, to be clearer about the requirement
>>> that intermediate certificates need a chain to root certificates.
>> I see that you removed the sentence
>>
>> The root
>> certificate should be included in every case where
>> <filename>postgresql.crt</> contains more than one certificate.
>>
>> in both places where it appeared. I seem to remember that I'd put that
>> in on the basis of experimentation, ie it didn't work to provide just
>> a partial chain. You appear to be telling people that it's safe to
>> omit the root cert, and I think this is wrong.
>>
>> Specifically, rather than the text "trusted by the server, i.e. signed by
>> a certificate in the server's <filename>root.crt</filename> file", I think
>> you need to say "trusted by the server, i.e., appears in the server's
>> <filename>root.crt</filename> file". Have you experimented with the
>> configuration you're proposing, and if so, with which OpenSSL versions?
> I am basing the text on the tests done in this thread, though I can test
> it myself too (though I have not yet). This email indicates we only
> need the client cert in the client, not the chain to root:
>
> http://www.postgresql.org/message-id/5146A103.8080609@2ndquadrant.com
>
> OK, we're good now, the server is sending us the intermediate cert we
> require. Regular non-client-cert verified SSL is fine. Examination of
> the protocol chat shows that the server is sending a Server Hello with a
> Certificate message containing the server and intermdediate certificate
> DNs:
>
> It can get the root and intermediate from the server, hence the "signed
> by" rather than "appears" wording. This text indicates also that the
> client doesn't have to have the certificate chain to the root:
>
> http://www.postgresql.org/message-id/514A9DDF.3050702@2ndquadrant.com
> Drat, you're quite right. I've always included the full certificate
> chain in client certs but it's in no way required.
>
> I don't fully understand the issues but the discussion seens to indicate
> this. Am I missing something? Should I run some tests?
>

AIUI, you need a complete chain from one end to the other. So the cert
being checked can include the intermediate cert in what it sends, or it
can be in the root.crt at the other end, but one way or another, the
checking end needs a complete chain from a root cert to the cert from
the other end.

cheers

andrew

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2013-12-02 20:07:48 Re: Trust intermediate CA for client certificates
Previous Message Bruce Momjian 2013-12-02 19:45:01 Re: Trust intermediate CA for client certificates

Browse pgsql-hackers by date

  From Date Subject
Next Message Dimitri Fontaine 2013-12-02 20:02:17 Re: Extension Templates S03E11
Previous Message Robert Haas 2013-12-02 19:46:58 Re: Extension Templates S03E11