Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> See the self-contained test case here:
Thanks for posting that; it makes it a lot easier to experiment with the
behavior of the Java software stack.
I've applied your patch along with some hacking on libpq. As far as
I can tell, things now work nicely with chained certificates on either
end, but it could definitely do with more testing if you have time to
poke at CVS HEAD.
I'm still a bit mystified about bug #5245 though. I can see two
possible explanations for that one:
1. The reporter was wrong about which server version he was using;
pre-8.4 servers would in fact not send the whole cert chain, cf
2. The reporter was wrong about the actual cause of his problem, and
despite his description, the true reason his Java client was failing
was the lack of SSL_CTX_set_client_CA_list().
Anyway, as far as I can tell the case described there works now.
regards, tom lane
In response to
pgsql-bugs by date
|Next:||From: Craig Ringer||Date: 2010-05-27 02:55:09|
|Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client
during SSL client cert request|
|Previous:||From: Mark Kirkwood||Date: 2010-05-27 01:37:50|
|Subject: Re: xml data type implications of no =|