| From: | Chapman Flack <chap(at)anastigmatix(dot)net> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: what can go in root.crt ? |
| Date: | 2020-05-25 19:32:52 |
| Message-ID: | 5ECC1D64.1000808@anastigmatix.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 05/25/20 15:15, Chapman Flack wrote:
> Does that mean it also would fail if I directly put the server's
> end-entity cert there?
>
> Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS,
> WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file
> in order for verification to succeed?
>
> If I did that, would the effect be any different from simply putting
> WE ISSUE TO EVERYBODY there, as before? Would it then happily accept
> a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other
> path? Is there a way I can accomplish trusting only certs issued by
> WE ISSUE TO ORGS LIKE YOURS?
The client library is the PG 10 one that comes with Ubuntu 18.04
in case it matters.
I think I have just verified that I can't make it work by putting
the end entity cert there either. It is back working again with only
the WE ISSUE TO EVERYBODY cert there, but if there is a workable way
to narrow that grant of trust a teensy little bit, I would be happy
to do that.
Regards,
-Chap
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2020-05-25 19:49:45 | Re: Trouble with hashagg spill I/O pattern and costing |
| Previous Message | David Fetter | 2020-05-25 19:29:21 | Re: Since '2001-09-09 01:46:40'::timestamp microseconds are lost when extracting epoch |