On Mon, Dec 2, 2013 at 03:01:25PM -0500, Andrew Dunstan wrote: > >I don't fully understand the issues but the discussion seens to indicate > >this. Am I missing something? Should I run some tests? > > > > AIUI, you need a complete chain from one end to the other. So the > cert being checked can include the intermediate cert in what it > sends, or it can be in the root.crt at the other end, but one way or > another, the checking end needs a complete chain from a root cert to > the cert from the other end.
Yes, this was my understanding. Let me ask a simple question --- can you put only the client cert on the client (postgresql.crt) and only the root cert on the server (root.crt), and will it work? I think Tom's question is whether OpenSSL will read through all the entries in root.crt and find the one that signed the remote cert, and has it always done that, i.e. does the remote side have to provide the upper-level cert to match against. One big thing I learned from this is that the local root.crt is only used to verify remote certificates; it isn't related to how the remote end verifies your certificate. Now, in most cases, the root.crt is identical for clients and servers, but it doesn't have to be. Put another way, I thought you put the root cert in your local root.crt and the local cert in postgresql.crt or server.crt, but in fact the requirement is that the local certificate chain to root must be in the remote root.crt. Of course, I might be wrong, but I am trying to clarify this for our users. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers