Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20706.1386014868@sss.pgh.pa.us
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Bruce Momjian <bruce@momjian.us>)
Responses Re: Trust intermediate CA for client certificates
List pgsql-hackers
Bruce Momjian <bruce@momjian.us> writes:
> On Mon, Dec  2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
>> I see that you removed the sentence
>> The root
>> certificate should be included in every case where
>> <filename>postgresql.crt</> contains more than one certificate.

> I don't fully understand the issues but the discussion seens to indicate
> this.  Am I missing something?  Should I run some tests?

My recollection is that if the client cert file includes *only* the
client's own cert, the server will puzzle out how that connects to the
certs it has.  However, if the client cert file contains more than one
cert (ie, client's cert and some intermediate-CA cert), the server
will *not* try to associate the intermediate cert with some root cert it
has.  It wants the chain the client sends to terminate in a cert that it
has listed directly in root.crt.

It's possible that my recollection is faulty, or that this behavior was
a bug that's been fixed in more recent OpenSSL versions.  If it's the
latter, though, I hesitate to tell people they can rely on the corrected
behavior.  The text in question is from May 2010, and I would've been
testing on whatever OpenSSL version was then current in Fedora, so it
would hardly be a version that's disappeared from the wild.
        regards, tom lane



pgsql-hackers by date:

Previous
From: Dimitri Fontaine
Date:
Subject: Re: Extension Templates S03E11
Next
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11