Re: [HACKERS] Trust intermediate CA for client certificates - Mailing list pgsql-general

From Stephen Frost
Subject Re: [HACKERS] Trust intermediate CA for client certificates
Date
Msg-id 20130318125517.GU4361@tamriel.snowman.net
Whole thread Raw
In response to Re: [HACKERS] Trust intermediate CA for client certificates  (Craig Ringer <craig@2ndquadrant.com>)
Responses Re: [HACKERS] Trust intermediate CA for client certificates
List pgsql-general
Craig, all,

* Craig Ringer (craig@2ndquadrant.com) wrote:
> PROBLEM VERIFIED

Let me just say "ugh".  I've long wondered why we have things set up in
such a way that the whole chain has to be in one file, but it didn't
occur to me that it'd actually end up causing this issue.  In some ways,
I really wonder about this being OpenSSL's fault as much as ours, but I
doubt they'd see it that way. :)

> What we need to happen instead is for root.crt to contain only the
> trusted certificates and have a *separate* file or directory for
> intermediate certificates that OpenSSL can look up to get the
> intermediates it needs to validate client certs, like
> `ssl_ca_chain_file` or `ssl_ca_chain_path` if we want to support
> OpenSSL's hashed certificate directories.

Makes sense to me.  I'm not particular about the names, but isn't this
set of CAs generally considered intermediary?  Eg: 'trusted', '
intermediate', etc?

    Thanks,

        Stephen

Attachment

pgsql-general by date:

Previous
From: Greg Jaskiewicz
Date:
Subject: Re: Addled index
Next
From: Adrian Klaver
Date:
Subject: Re: C++Builder table exist