On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > My talk documents this behavior. In this talk:
> >
> > https://momjian.us/main/writings/pgsql/tls.pdf
> >
> > slide 47 and 49 use -extensions v3_ca. Slides 73 and 74 show that the
> > intermediate is not needed on the client if it is created with v3_ca and
> > exist on the server. Slide 75 shows that the server certificate must be
> > first in server.crt.
> >
> > I have created the attached doc patch to add this information to our
> > docs. I would like to backpatch this since what we have now, while it
> > works, is inaccurate.
>
> I have spent some time looking at your patch, this gets a +1 from here.
Thanks.
> This bit is important. I am happy that your patch mentions that
> intermediate certificates avoid the need to store root ones on the
> client. Should the docs mention terms like "chain of trust"?
I think the question is how much do we want to "teach" people in our
docs. We do oddly but wisely link from our docs to HP OpenVMS docs
about how the chain of trust works:
http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
I will write up a paragraph about the concepts for our docs for the
group's review.
> Perhaps the docs could also include an example of command to create a
> root and an intermediate certificate in runtime.sgml or such?
Yes, I have thought about that. My presentation has clear examples that
we can use, again based on Stephen and David's scripts using v3_ca. I
will work up a possible patch for that too.
> On top of that, src/test/ssl does not provide any kind of coverage for
> that. It would be an area of improvement for those tests.
Wow, I have no idea how to do that. Let me look. Seems I have more
work to do.
Instead of appending to this doc patch, I will work on a second one for
review.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
