Craig Ringer <craig@postnewspapers.com.au> writes:
> You are confusing these two unrelated phases of SSL negotiation.
No, I don't think so.
> For the complaint in #5245 to be addressed, the server must send the
> full certificate chain for the certificate the server is using to
> identify its self as pgserver.domain.com to the client during the
> ServerHello phase of SSL negotiation. If correctly configured, the
> server already does this, and #5245 really just needs some documentation
> improvements.
As best I can tell, the server already does that, if correctly
configured, and the configuration described in #5245 is correct.
Therefore, it's failing because of something else. What the reporter
of #5245 *says* the bug is is not necessarily what it *actually* is.
What I believe his *actual* problem is is that Java is unable to verify
the cert chain without a name for (at least) the root cert. That makes
it the same as #5468, or at least it has the same fix.
I have found an additional bug here, but it's in libpq not the server,
and thus not responsible for either your bug report or his. I'll start
a new thread about that in a minute.
regards, tom lane
