| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net> |
| Subject: | Re: Correction of intermediate certificate handling |
| Date: | 2018-01-17 00:09:50 |
| Message-ID: | 20180117000950.GB935@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > This bit is important. I am happy that your patch mentions that
> > intermediate certificates avoid the need to store root ones on the
> > client. Should the docs mention terms like "chain of trust"?
>
> I think the question is how much do we want to "teach" people in our
> docs. We do oddly but wisely link from our docs to HP OpenVMS docs
> about how the chain of trust works:
>
> http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
>
> I will write up a paragraph about the concepts for our docs for the
> group's review.
As a separate patch, I think that it would be fine as well.
> > Perhaps the docs could also include an example of command to create a
> > root and an intermediate certificate in runtime.sgml or such?
>
> Yes, I have thought about that. My presentation has clear examples that
> we can use, again based on Stephen and David's scripts using v3_ca. I
> will work up a possible patch for that too.
That too.
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
>
> Wow, I have no idea how to do that. Let me look. Seems I have more
> work to do.
You would need to update src/test/ssl/Makefile to generate those
intermediate CAs, and then make ServerSetup::switch_server_cert smarter
in the way the series of certificates are handled. A suggestion I have
would be to create each certificate file separately and change the
routine so as it uses an array in input, the order of the items defining
what's the order the the data. For the client there is sslrootcert, so I
guess that a small routine able to take a set of certs and append them
to a single file would make it as well (switch_server_cert should use
it).
> Instead of appending to this doc patch, I will work on a second one for
> review.
I see nothing pressing here. If you are not familiar with the TAP test
facility, this could give you a good introduction to it.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-01-17 03:23:44 | Re: Correction of intermediate certificate handling |
| Previous Message | Bruce Momjian | 2018-01-16 16:21:22 | Re: Correction of intermediate certificate handling |