| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net> |
| Subject: | Re: Correction of intermediate certificate handling |
| Date: | 2018-01-17 03:23:44 |
| Message-ID: | 20180117032344.GA26285@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > > This bit is important. I am happy that your patch mentions that
> > > intermediate certificates avoid the need to store root ones on the
> > > client. Should the docs mention terms like "chain of trust"?
> >
> > I think the question is how much do we want to "teach" people in our
> > docs. We do oddly but wisely link from our docs to HP OpenVMS docs
> > about how the chain of trust works:
> >
> > http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
> >
> > I will write up a paragraph about the concepts for our docs for the
> > group's review.
>
> As a separate patch, I think that it would be fine as well.
I ended up merging the "chain of trust" changes into the "intermediate"
patch since they affect adjacent sections of the docs. You can see this
as the first attached patch.
> > > Perhaps the docs could also include an example of command to create a
> > > root and an intermediate certificate in runtime.sgml or such?
> >
> > Yes, I have thought about that. My presentation has clear examples that
> > we can use, again based on Stephen and David's scripts using v3_ca. I
> > will work up a possible patch for that too.
>
> That too.
I did that as a separate patch, which is the second attachment.
> > > On top of that, src/test/ssl does not provide any kind of coverage for
> > > that. It would be an area of improvement for those tests.
> >
> > Wow, I have no idea how to do that. Let me look. Seems I have more
> > work to do.
>
> You would need to update src/test/ssl/Makefile to generate those
> intermediate CAs, and then make ServerSetup::switch_server_cert smarter
> in the way the series of certificates are handled. A suggestion I have
> would be to create each certificate file separately and change the
> routine so as it uses an array in input, the order of the items defining
> what's the order the the data. For the client there is sslrootcert, so I
> guess that a small routine able to take a set of certs and append them
> to a single file would make it as well (switch_server_cert should use
> it).
I don't think I will work on the testing changes.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| Attachment | Content-Type | Size |
|---|---|---|
| crt.diff | text/x-diff | 12.4 KB |
| openssl.diff | text/x-diff | 4.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-01-17 08:20:00 | Re: Correction of intermediate certificate handling |
| Previous Message | Michael Paquier | 2018-01-17 00:09:50 | Re: Correction of intermediate certificate handling |