On Mon, Dec  2, 2013 at 05:35:06PM -0500, Andrew Dunstan wrote:
> On 12/02/2013 04:17 PM, Tom Lane wrote:
> >Bruce Momjian <br...@momjian.us> writes:
> >>Sorry, I should have said:
> >>    Tom is saying that for his openssl version, a client that passed
> >>    an intermediate certificate had to supply a certificate _matching_
> >>    something in the remote root.crt, not just signed by it.
> >>At least I think that was the issue, rather than requiring the client to
> >>supply a "root" certificate, meaning the client can supply an
> >>intermediate or root certificicate, as long as it appears in the
> >>root.crt file on the remote end.
> >As far as the server is concerned, anything listed in its root.crt *is* a
> >trusted root CA.  Doesn't matter if it's a child of some other CA.
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.
> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.
> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.
> OpenSSL version 1.0.0j was used in these tests, on a Fedora 16 box.

OK, that behavior matches the behavior Ian observed and also matches my
most recent doc patch.  I know Tom saw something different, but unless
he can reproduce it, I am thinking my doc patch is our best solution.

  Bruce Momjian  <br...@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to