| From: | "Frazer McLean" <frazer(at)frazermclean(dot)co(dot)uk> |
|---|---|
| To: | "Bruce Momjian" <bruce(at)momjian(dot)us> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Configuring ssl_crl_file |
| Date: | 2017-02-28 21:50:02 |
| Message-ID: | DD7A3D3B-A048-4E7E-909E-3065B3C4BD5E@frazermclean.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 28 Feb 2017, at 21:51, Bruce Momjian wrote:
> I have researched this and will post a blog and and document the fix
> in
> the next few months. The reason you have to supply the entire
> certificate chain to the root CA on the client is because you have not
> used the "-extensions v3_ca" flag to openssl when creating the CA x509
> request. You have to mark the certificates as CAs so they are passed
> from the server to the client. You are looking for the CA
> certificates
> to say:
>
> X509v3 Basic Constraints:
> CA:TRUE
>
My `ca.cert.pem` file has
X509v3 Basic Constraints: critical
CA:TRUE
The `intermediate.cert.pem` has
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
This intermediate cert was generated using the `v3_intermediate_ca`
extension defined in [1]. I wouldn’t expect *not* to have to give the
full certificate chain to the client, since both were created by me.
To summarise my problem and solution: the connection worked fine until
`ssl_crl_file` was enabled. I was trying to use a CRL generated from the
intermediate CA, assuming PostgreSQL would trust it since it knows about
the full CA chain in `ssl_ca_file`. Apparently, it must be a CRL
generated from the root concatenated to a CRL generated from the
intermediate, and then it works.
Kind regards,
Frazer McLean
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zach Walton | 2017-02-28 21:51:52 | Understanding pg_last_xlog_receive_location |
| Previous Message | Bruce Momjian | 2017-02-28 20:51:04 | Re: Configuring ssl_crl_file |