Postgres Pro
Downloads
Home   >   mailing lists

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131203161825.GB27105@momjian.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-hackers
Tree view 
On Mon, Dec  2, 2013 at 05:35:06PM -0500, Andrew Dunstan wrote:
> 
> On 12/02/2013 04:17 PM, Tom Lane wrote:
> >Bruce Momjian <bruce@momjian.us> writes:
> >>Sorry, I should have said:
> >>    Tom is saying that for his openssl version, a client that passed
> >>    an intermediate certificate had to supply a certificate _matching_
> >>    something in the remote root.crt, not just signed by it.
> >>At least I think that was the issue, rather than requiring the client to
> >>supply a "root" certificate, meaning the client can supply an
> >>intermediate or root certificicate, as long as it appears in the
> >>root.crt file on the remote end.
> >As far as the server is concerned, anything listed in its root.crt *is* a
> >trusted root CA.  Doesn't matter if it's a child of some other CA.
> 
> 
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.
> 
> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.
> 
> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.
> 
> OpenSSL version 1.0.0j was used in these tests, on a Fedora 16 box.

OK, that behavior matches the behavior Ian observed and also matches my
most recent doc patch.  I know Tom saw something different, but unless
he can reproduce it, I am thinking my doc patch is our best solution.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +

pgsql-hackers by date:

Previous
From: Dimitri Fontaine
Date:
Subject: Re: Extension Templates S03E11
Next
From: David Johnston
Date:
Subject: Re: Add full object name to the tag field