From: | Radosław Smogura <rsmogura(at)softperience(dot)eu> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Cc: | Asia <asia123321(at)op(dot)pl> |
Subject: | Re: SSL certificates issue |
Date: | 2011-09-07 16:32:08 |
Message-ID: | 201109071832.08646.rsmogura@softperience.eu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Asia <asia123321(at)op(dot)pl> Wednesday 07 of September 2011 16:00:39
> > I personally haven't tired SSL for PostgreSQL but, I think, You should
> > put in root.crt only intermediate certificate (C1 - from prev post), so
> > all and only all "sub-certs" of intermediate CA will be able to
> > establish connection (paranoic security).
> >
> > Putting intermediate CAs as trusted in Java keystore may be solution,
> > but I'm not sure if in situation of cert invalidation, such cert will be
> > rejected.
> >
> > If you want to write SSL Factory, you should re-implement KeyManager
> > only, to give ability of extended search.
> >
> > Regards,
> > Radek
>
> I have already tried with only C1 in root.crt but unfortunately it does
> not work. I get error message that cert is invalid. It seems that chained
> CA's are not supported in a way we would like to have it done. I would
> prefer to have number of trusted certs in root.crt limited as much as
> possible, but as I said it does not work.
>
> About Java, I would need to analyze the libpq code and implement KeyManager
> in a similar way - this is surely possible but not necessarily preferred
> solution ;-)
>
> Kind regards,
> Joanna
I bearly looked at Javav SSL implementation, and it should support certificate
chain, even if intermediate cert isn't presented by server (not in root.crt),
until You have valid chain in key/trust store. I found, and You may try to
turn it on, "javax.net.debug=all" to see debug info of cert matching.
Only one thing comes to me, why it doesn't works, Your intermediate cert may
have no issuer DN
Regards,
Radek
From | Date | Subject | |
---|---|---|---|
Next Message | jonesd | 2011-09-07 16:32:09 | Re: PL/pgSQL trigger and sequence increment |
Previous Message | jonesd | 2011-09-07 16:19:04 | Re: PL/pgSQL trigger and sequence increment |