From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, David Steele <david(at)pgmasters(dot)net> |
Subject: | Re: Correction of intermediate certificate handling |
Date: | 2018-01-26 03:59:23 |
Message-ID: | b5d4873a-ff77-b6f6-fd66-f725e5bc343d@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On 1/16/18 00:33, Michael Paquier wrote:
> On top of that, src/test/ssl does not provide any kind of coverage for
> that. It would be an area of improvement for those tests.
The tests already cover this:
# intermediate client_ca.crt is provided by client, and isn't in
server's ssl_ca_file
switch_server_cert($node, 'server-cn-only', 'root_ca');
$common_connstr =
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key
sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
test_connect_ok($common_connstr,
"sslmode=require sslcert=ssl/client+client_ca.crt");
test_connect_fails($common_connstr, "sslmode=require
sslcert=ssl/client.crt");
If you change the Makefile rule for generating the client CA to omit the
-extensions v3_ca option, then the first test will fail.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2018-01-26 04:59:56 | Re: Can take filesystem bkp of pg data folder when server is running |
Previous Message | Bruce Momjian | 2018-01-26 00:26:18 | Re: pg_upgrade docs are confusing if PostgreSQL's versioning system/language isn't known to reader |