| From: | Asia <asia123321(at)op(dot)pl> |
|---|---|
| To: | " <pgsql-general(at)postgresql(dot)org>" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: SSL certificates issue |
| Date: | 2011-09-07 11:49:30 |
| Message-ID: | 51418251-8a51aee2941719169cb5b7d0de900935@pkn6.m5r2.onet |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
>
> I think problem is as follows, server sends to client certificates it
> can accept (as accepted parents), without intermediate CA, Java sees
> only top-level cert and tries to find client cert issued directly by
> top-level CA, I may only assume, that without intermediate CA you will
> be able to auth against any cert signed by top-level CA (this may cause
> small security hole as well).
>
> I think this is not needed, but I suggest You too check cert "policies"
> with v3 extensions.
>
> Java is really pedantic, about security.
>
> Regards,
> Radek
>
The problem is that I believe that this configuration could be better but I cannot put part
of CA chain in root.crt as it was advised.
For Java it all depends on current SSL Factory implementation, I was using the default one.
If I wrote my own implementation I would probably be able to have common with libpq,
requiring the least info, configuration (but actually I would prefer to avoid it).
Kind regards,
Joanna
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alex Lai | 2011-09-07 12:28:12 | Re: Demoting master to slave without an rsync...is it safe? |
| Previous Message | Radosław Smogura | 2011-09-07 10:27:11 | Re: SSL certificates issue |