Re: Trust intermediate CA for client certificates

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> On Mon, Dec 2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
>> I see that you removed the sentence
>> The root
>> certificate should be included in every case where
>> <filename>postgresql.crt</> contains more than one certificate.

> I don't fully understand the issues but the discussion seens to indicate
> this. Am I missing something? Should I run some tests?

My recollection is that if the client cert file includes *only* the
client's own cert, the server will puzzle out how that connects to the
certs it has. However, if the client cert file contains more than one
cert (ie, client's cert and some intermediate-CA cert), the server
will *not* try to associate the intermediate cert with some root cert it
has. It wants the chain the client sends to terminate in a cert that it
has listed directly in root.crt.

It's possible that my recollection is faulty, or that this behavior was
a bug that's been fixed in more recent OpenSSL versions. If it's the
latter, though, I hesitate to tell people they can rely on the corrected
behavior. The text in question is from May 2010, and I would've been
testing on whatever OpenSSL version was then current in Fedora, so it
would hardly be a version that's disappeared from the wild.

regards, tom lane