* client certificate that can
present a chain back to the root CA.
Frankly, this whole conversation reinforces my belief that this behavior
is so counter-intuitive that it really should be changed.
GnuTLS for the win?
--
Ian
On 12/02/2013 02:17 PM, Tom Lane wrote:
Ian Pilcher arequip...@gmail.com writes:
Yes. And the problem is that there is no way to prevent OpenSSL from
accepting intermediate certificates supplied by the client. As a
result, the server cannot accept client certificates signed by one
.
--
Ian Pilcher arequip...@gmail.com
Sent from the cloud -- where it's already tomorrow
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org
On 12/02/2013 02:32 PM, Tom Lane wrote:
Ian Pilcher arequip...@gmail.com writes:
I'm not sure what you're asking. The desired behavior (IMO) would be to
accept client certificates signed by some intermediate CAs without
accepting any client certificate that can present a chain back
presents a certificate signed by a particular intermediate CA?
AFAIK, there is currently no way to do this.
--
Ian Pilcher arequip...@gmail.com
Sent from the cloud -- where
verifying client
cert trust paths.
Nope. It's pretty obvious from be-secure.c that only the certificates
in root.crt will be used.
--
Ian Pilcher arequip...@gmail.com
Sometimes there's
, the test client is able to connect with the
good client certificate, but it is also able to connect with the bad
client certificate when it presents a certificate chain that includes
the server CA certificate.
--
Ian Pilcher
if there is any interest in a patch to add
this functionality.
--
Ian Pilcher arequip...@gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying