| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net> |
| Subject: | Re: Correction of intermediate certificate handling |
| Date: | 2018-01-26 13:09:30 |
| Message-ID: | 20180126130930.GD20836@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote:
> On 1/16/18 00:33, Michael Paquier wrote:
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
>
> The tests already cover this:
>
> # intermediate client_ca.crt is provided by client, and isn't in
> server's ssl_ca_file
> switch_server_cert($node, 'server-cn-only', 'root_ca');
> $common_connstr =
> "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key
> sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
>
> test_connect_ok($common_connstr,
> "sslmode=require sslcert=ssl/client+client_ca.crt");
> test_connect_fails($common_connstr, "sslmode=require
> sslcert=ssl/client.crt");
>
> If you change the Makefile rule for generating the client CA to omit the
> -extensions v3_ca option, then the first test will fail.
Oh, very good!
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-01-26 13:22:13 | Re: Addition to / Clarification in 9.7.1. LIKE |
| Previous Message | Michail Nikolaev | 2018-01-26 09:10:29 | Re: [PATCH] Updating documentation about bulding documentation in Windows. |