| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
| Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Date: | 2010-05-25 15:48:44 |
| Message-ID: | 23787.1274802524@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> Bug 5245 is not the same issue. They're talking about the server not
> sending the full certificate chain for the cert that identifies the
> server (server.crt). It's nothing to do with client certificates.
> Without the full chain, the client can't verify the server unless it
> happens to already have the intermediate certs between the server's cert
> and the trusted root that signed it installed locally. I haven't
> encountered #5245 myself, but will test it shortly to verify. It'd
> certainly count as a significant bug, as it would make it impossible to
> use indirect trust to verify a server (as is the case when a corporate
> CA signed by a "big name" CA is in use).
BTW, does anyone know exactly how to fix that? I'm looking at a related
request internal to Red Hat right now.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2010-05-25 16:29:11 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Previous Message | Dave Page | 2010-05-25 15:36:40 | Re: BUG #5471: Postgres License Url is Misspelled |