Home > mailing lists

Re: libpq should not be using SSL_CTX_set_client_cert_cb - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: libpq should not be using SSL_CTX_set_client_cert_cb
Date	May 26, 2010 14:55:05
Msg-id	12363.1274885682@sss.pgh.pa.us Whole thread Raw
In response to	Re: libpq should not be using SSL_CTX_set_client_cert_cb (Garick Hamlin <ghamlin@isc.upenn.edu>)
Responses	Re: libpq should not be using SSL_CTX_set_client_cert_cb
List	pgsql-hackers

Tree view

Garick Hamlin <ghamlin@isc.upenn.edu> writes:
> I am guessing the problem is that validating the presented chain is hard?  

No, the problem is that the current libpq code fails to present the
chain at all.  It will only load and send the first cert in the
postgresql.crt file.  This works only when the client's cert is signed
directly by one of the CAs trusted by the server.
        regards, tom lane

pgsql-hackers by date:

From: Garick Hamlin
Date: 26 May 2010, 14:54:09
Subject: Re: libpq should not be using SSL_CTX_set_client_cert_cb

From: alvherre
Date: 26 May 2010, 15:01:24
Subject: Re: mapping object names to role IDs

Re: libpq should not be using SSL_CTX_set_client_cert_cb - Mailing list pgsql-hackers

Previous

Next