From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Ian Pilcher <arequipeno(at)gmail(dot)com>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Trust intermediate CA for client certificates |
Date: | 2013-12-02 21:23:54 |
Message-ID: | 529CFA6A.2070608@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
On 12/02/2013 04:17 PM, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
>> Sorry, I should have said:
>> Tom is saying that for his openssl version, a client that passed
>> an intermediate certificate had to supply a certificate _matching_
>> something in the remote root.crt, not just signed by it.
>> At least I think that was the issue, rather than requiring the client to
>> supply a "root" certificate, meaning the client can supply an
>> intermediate or root certificicate, as long as it appears in the
>> root.crt file on the remote end.
> As far as the server is concerned, anything listed in its root.crt *is* a
> trusted root CA. Doesn't matter if it's a child of some other CA.
>
> The issue is that the client's cert has to be linked to some element of
> root.crt somehow. In principle you'd think that if the client provides
> an intermediate CA cert, the server should be able to match that to
> whichever root.crt member signed it, but that wasn't what I saw
> happening. It'd be good for someone who uses SSL more than I do to
> replicate the experiment, though. It's not impossible that I screwed up.
>
I have a test script I developed when I had some difficulties with
intermediate CAs a while back. I'll see if I can clean it up and test
this out.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2013-12-02 21:24:49 | Re: Trust intermediate CA for client certificates |
Previous Message | Ian Pilcher | 2013-12-02 21:22:25 | Re: Trust intermediate CA for client certificates |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2013-12-02 21:24:49 | Re: Trust intermediate CA for client certificates |
Previous Message | Dimitri Fontaine | 2013-12-02 21:22:30 | Re: Extension Templates S03E11 |