| From: | Ray Stell <stellr(at)cns(dot)vt(dot)edu> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Michael Fuhr <mike(at)fuhr(dot)org>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: no verification of client certificate? |
| Date: | 2007-03-26 13:35:33 |
| Message-ID: | 20070326133533.GA17380@cns.vt.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-docs |
On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> Michael Fuhr <mike(at)fuhr(dot)org> writes:
> > On Sun, Mar 25, 2007 at 10:01:20PM -0400, Tom Lane wrote:
> >> I looked more closely and you are right: if the server does not have
> >> a root.crt file then it doesn't send its server cert to the client,
> >> and so there's no way for the client to verify the cert.
>
> > Eh? ssldump shows otherwise here with 8.2.3.
>
> Well, if it works then why is the OP complaining?
Two reasons:
1. I was following:
http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html
I did not know this page existed:
http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html
Connecting the two pages would have helped me.
2. I probably made a mistake trying the various combinations.
Knowing how Michael traced the connection with ssldump would be
VERY helpful. Trying to put it together from strace is much harder
and I probably made multiple mistakes. I was on a fishing expedition
at best as I didn't know how it went together.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Fuhr | 2007-03-26 13:42:53 | Re: no verification of client certificate? |
| Previous Message | Ray Stell | 2007-03-26 13:03:53 | Re: no verification of client certificate? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Fuhr | 2007-03-26 13:42:53 | Re: no verification of client certificate? |
| Previous Message | Ray Stell | 2007-03-26 13:03:53 | Re: no verification of client certificate? |