From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Trust intermediate CA for client certificates |
Date: | 2013-12-02 21:24:49 |
Message-ID: | 20131202212449.GV17272@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Sorry, I should have said:
>
> Tom is saying that for his openssl version, a client that passed
> an intermediate certificate had to supply a certificate _matching_
> something in the remote root.crt, not just signed by it.
>
> At least I think that was the issue, rather than requiring the client to
> supply a "root" certificate, meaning the client can supply an
> intermediate or root certificicate, as long as it appears in the
> root.crt file on the remote end.
That wasn't the impression I got from Tom's comments; hopefully he'll
clarify. I really don't think OpenSSL actually does 'matching' kind of
work as is being described here.. It certainly shouldn't be deciding on
the validity of a certificate based on that. I wonder if this is
related to the question which was raised previously about if we trust
*intermediate CAs* when no root CA exists (which we certainly should
*not* be doing, but it's hardly clear what the heck happens when
everything has to go into a file called 'root.crt').
> Once I fully understand this I can post a proposed doc change.
Thank you much for offering to write up the docs around this.
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2013-12-02 21:25:28 | Re: Trust intermediate CA for client certificates |
Previous Message | Andrew Dunstan | 2013-12-02 21:23:54 | Re: Trust intermediate CA for client certificates |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2013-12-02 21:25:28 | Re: Trust intermediate CA for client certificates |
Previous Message | Andrew Dunstan | 2013-12-02 21:23:54 | Re: Trust intermediate CA for client certificates |