| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | pgsql-docs <pgsql-docs(at)postgresql(dot)org> |
| Subject: | Re: Default names for CRL and CA files in the backend |
| Date: | 2017-08-17 01:26:48 |
| Message-ID: | CAB7nPqQ8xnF8UX8sk1ZMAi1Tb7S9sbb0ihtB0-4uVxh_pbctKQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Thu, Aug 17, 2017 at 7:31 AM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> Commit a445cb92ef5b3a31313ebce30e18cc1d6e0bdecb removed the default names for
> serverside CRL and CA files, but the defaults were left in the "SSL Server File
> Usage” table with a small note. I completely missed the note, even after
> having been fiddling about with the code in question. Removing the filenames
> from the table, and altering the note per the attached patch, makes the docs
> clearer IHMO.
Here are additional notes on the matter.
From libpq.sgml:
<para>
In some cases, the client certificate might be signed by an
<quote>intermediate</> certificate authority, rather than one that is
directly trusted by the server. To use such a certificate, append the
certificate of the signing authority to the <filename>postgresql.crt</>
file, then its parent authority's certificate, and so on up to a certificate
authority, <quote>root</> or <quote>intermediate</>, that is trusted by
the server, i.e. signed by a certificate in the server's
<filename>root.crt</filename> file.
</para>
Am I reading that correctly? The last sentence should not mention
root.crt as well. The paragraph after that assume that ssl_ca_file is
set to root.crt so it looks fine to use it. But that's not assumed
here.
In sslinfo.sgml:
<para>
This function is really useful only if you have more than one trusted CA
certificate in your server's <filename>root.crt</> file, or if this CA
has issued some intermediate certificate authority certificates.
</para>
In runtime.sgml:
<para>
Note that the server's <filename>root.crt</filename> lists the top-level
CAs that are considered trusted for signing client certificates.
In principle it need
not list the CA that signed the server's certificate, though in most cases
that CA would also be trusted for client certificates.
</para>
Perhaps this should be changed as well.
In config.sgml:
<para>
In previous releases of PostgreSQL, the name of this file was
hard-coded as <filename>root.crt</filename>.
</para>
[...]
<para>
In previous releases of PostgreSQL, the name of this file was
hard-coded as <filename>root.crt</filename>.
</para>
Why not mentioning the version of Postgres where the change has begun?
I find confusing not to precise such level of details.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2017-08-17 02:07:22 | Re: Dead link for 'DocBook XSL Stylesheets' |
| Previous Message | Daniel Gustafsson | 2017-08-16 22:31:47 | Default names for CRL and CA files in the backend |