| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Andrus <kobruleht2(at)hot(dot)ee>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: tlsv1 alert unknown ca error on cert authentication |
| Date: | 2025-06-09 15:39:17 |
| Message-ID: | CAOYmi+=fbH0_9sCkWaj0s-3AUNd1W=H2AyU088RfiGD+AEeKaQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sun, Jun 8, 2025 at 9:14 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Hm. This example works fine for me on RHEL8. Evidently your
> openssl installation is set up to reject self-signed certificates
> by default.
I wonder if this setup is somewhat undefined/underdefined behavior.
Andrus, if I understand correctly, you have
- two certificates (one client, one server _and_ CA)
- with the same(!) Subject, according to the logs
- one signed the other (so it's "self-signed")
- one is marked CA, one is not
I have no idea how OpenSSL or the RFCs resolve this situation. Do you
really intend to have the CA share the same Subject as the client?
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-06-09 17:02:52 | Re: BUG #18907: SSL error: bad length failure during transfer data in pipeline mode with libpq |
| Previous Message | Tom Lane | 2025-06-09 14:26:33 | Re: BUG #18907: SSL error: bad length failure during transfer data in pipeline mode with libpq |