Postgres Pro
Downloads
Home   >   mailing lists

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131202213807.GQ5274@momjian.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Ian Pilcher <arequipeno@gmail.com>)
List pgsql-hackers
Tree view 
On Mon, Dec  2, 2013 at 03:19:43PM -0600, Ian Pilcher wrote:
> On 12/02/2013 02:32 PM, Tom Lane wrote:
> > Ian Pilcher <arequipeno@gmail.com> writes:
> >> I'm not sure what you're asking.  The desired behavior (IMO) would be to
> >> accept client certificates signed by some intermediate CAs without
> >> accepting any client certificate that can present a chain back to the
> >> trusted root.  This is currently not possible, mainly due to the way
> >> that OpenSSL works.
> > 
> > That notion seems pretty bogus to me.  If you don't trust the root CA to
> > not hand out child CA certs to untrustworthy people, then you don't really
> > trust the root CA, do you?  You should just list the certs of the
> > intermediate CAs you *do* trust in the server's root.crt.
> 
> Assume you have a corporate policy that says that all SSL certificates
> must be signed for the corporate root CA, which is an intermediate CA
> signed by Verisign.  Presumably this means that you (or someone in your
> organization) trusts Verisign to exercise some degree of care in issuing
> their certificates, but that's a long way from wanting to allow every
> Verisign-signed (or "rooted") certificate to connect to your database
> server.

Yes, this is why we recommend self-signed certificates for Postgres.  In
this case, what value is there in using an intermediate certificate
who's root is Verisign?

> BTW, you can't just "list the certs of the intermediate CAs you do
> trust"; you have to put the root CA certificate into root.crt in order
> for OpenSSL to build a complete chain, and this means trusting *every*
> client certificate that can present a chain back to that root.  That is
> the problem.
> 
> > In any case, the idea that this is somehow OpenSSL's fault and another
> > implementation of the same protocol wouldn't have the same issue sounds
> > pretty silly.
> 
> Actually other implementations do this.  In fact, a flag was added to
> OpenSSL fairly recently to allow validating a chain only up to an
> intermediate CA for this very reason.

Interesting.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +

pgsql-hackers by date:

Previous
From: Dimitri Fontaine
Date:
Subject: Re: Extension Templates S03E11
Next
From: Peter Eisentraut
Date:
Subject: Re: Improvement of pg_stat_statement usage about buffer hit ratio