| From: | Asia <asia123321(at)op(dot)pl> |
|---|---|
| To: | " <pgsql-general(at)postgresql(dot)org>" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: SSL certificates issue |
| Date: | 2011-09-07 14:00:39 |
| Message-ID: | 48689165-0a632f8b14736bc32dc81ad61237583a@pkn7.m5r2.onet |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
>
> I personally haven't tired SSL for PostgreSQL but, I think, You should
> put in root.crt only intermediate certificate (C1 - from prev post), so
> all and only all "sub-certs" of intermediate CA will be able to
> establish connection (paranoic security).
>
> Putting intermediate CAs as trusted in Java keystore may be solution,
> but I'm not sure if in situation of cert invalidation, such cert will be
> rejected.
>
> If you want to write SSL Factory, you should re-implement KeyManager
> only, to give ability of extended search.
>
> Regards,
> Radek
>
I have already tried with only C1 in root.crt but unfortunately it does not work. I get error message that cert is invalid. It seems that chained CA's are not supported in a way we would like to have it done. I would prefer to have number of trusted certs in root.crt limited as much as possible, but as I said it does not work.
About Java, I would need to analyze the libpq code and implement KeyManager in a similar way - this is surely possible but not necessarily preferred solution ;-)
Kind regards,
Joanna
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-09-07 14:06:10 | Re: SSL certificates issue |
| Previous Message | Adrian Klaver | 2011-09-07 13:59:41 | Re: SSL certificates issue |