Bruce Momjian <br...@momjian.us> writes:
> I have updated the patch, attached, to be clearer about the requirement
> that intermediate certificates need a chain to root certificates.
I see that you removed the sentence
The root
certificate should be included in every case where
<filename>postgresql.crt</> contains more than one certificate.
in both places where it appeared. I seem to remember that I'd put that
in on the basis of experimentation, ie it didn't work to provide just
a partial chain. You appear to be telling people that it's safe to
omit the root cert, and I think this is wrong.
Specifically, rather than the text "trusted by the server, i.e. signed by
a certificate in the server's <filename>root.crt</filename> file", I think
you need to say "trusted by the server, i.e., appears in the server's
<filename>root.crt</filename> file". Have you experimented with the
configuration you're proposing, and if so, with which OpenSSL versions?
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
