On 12/02/2013 02:17 PM, Tom Lane wrote:
> Ian Pilcher <arequip...@gmail.com> writes:
>> Yes. And the problem is that there is no way to prevent OpenSSL from
>> accepting intermediate certificates supplied by the client. As a
>> result, the server cannot accept client certificates signed by one
>> intermediate CA without also accepting *any* client certificate that can
>> present a chain back to the root CA.
>
> Isn't that sort of the point?
>
I'm not sure what you're asking. The desired behavior (IMO) would be to
accept client certificates signed by some intermediate CAs without
accepting any client certificate that can present a chain back to the
trusted root. This is currently not possible, mainly due to the way
that OpenSSL works.
--
========================================================================
Ian Pilcher arequip...@gmail.com
Sent from the cloud -- where it's already tomorrow
========================================================================
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
