Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request - Mailing list pgsql-bugs

On 26/05/10 09:59, Craig Ringer wrote:
> On 26/05/10 09:35, Tom Lane wrote:
>
>> I am now of the opinion that bug #5245 is in fact an exact dup of
>> bug #5468.  The previous reporter was jumping to conclusions about what
>> his problem was: it was not that the server didn't send the full cert
>> chain, but that Java couldn't do the right thing without having the list
>> of cert names.
>
> No, they ARE NOT the same thing.
>
> #5468 is about *CLIENT* *CERTIFICATE* *AUTHENTICATION* where the
>     *SERVER* VALIDATES THE *CLIENT* after the server sends a
>     ServerHello.
>
> #5245 is about *CLIENT* *VALIDATION* *OF* *THE* *SERVER*, where the
>     *CLIENT* VALIDATES THE *SERVER* after the server sends a
>     CertificateRequest.

Argh, now I'm getting MYSELF backwards. Correction:

#5468 is about *CLIENT* *CERTIFICATE* *AUTHENTICATION* where the
    *SERVER* VALIDATES THE *CLIENT* after the server sends a
    *CertificateRequest*.       <-- Was reversed above

#5245 is about *CLIENT* *VALIDATION* *OF* *THE* *SERVER*, where the
    *CLIENT* VALIDATES THE *SERVER* after the server sends a
    *ServerHello*.              <-- Was reversed above




--
Craig Ringer

Tech-related writing: http://soapyfrogs.blogspot.com/