Re: Trust intermediate CA for client certificates

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Trust intermediate CA for client certificates
Date: 2013-12-03 16:18:25
Message-ID: 20131203161825.GB27105@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

On Mon, Dec 2, 2013 at 05:35:06PM -0500, Andrew Dunstan wrote:
>
> On 12/02/2013 04:17 PM, Tom Lane wrote:
> >Bruce Momjian <bruce(at)momjian(dot)us> writes:
> >>Sorry, I should have said:
> >> Tom is saying that for his openssl version, a client that passed
> >> an intermediate certificate had to supply a certificate _matching_
> >> something in the remote root.crt, not just signed by it.
> >>At least I think that was the issue, rather than requiring the client to
> >>supply a "root" certificate, meaning the client can supply an
> >>intermediate or root certificicate, as long as it appears in the
> >>root.crt file on the remote end.
> >As far as the server is concerned, anything listed in its root.crt *is* a
> >trusted root CA. Doesn't matter if it's a child of some other CA.
>
>
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.
>
> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.
>
> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.
>
> OpenSSL version 1.0.0j was used in these tests, on a Fedora 16 box.

OK, that behavior matches the behavior Ian observed and also matches my
most recent doc patch. I know Tom saw something different, but unless
he can reproduce it, I am thinking my doc patch is our best solution.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ Everyone has their own god. +

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Pavel Stehule 2013-12-03 19:16:32 Re: unnest on multi-dimensional arrays
Previous Message Dorian Hoxha 2013-12-03 16:03:46 Re: Complex sql, limit-for-each group by, arrays, updates

Browse pgsql-hackers by date

  From Date Subject
Next Message Metin Doslu 2013-12-03 16:24:55 Re: Parallel Select query performance and shared buffers
Previous Message Dimitri Fontaine 2013-12-03 16:18:07 Re: Extension Templates S03E11