Home > mailing lists

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request - Mailing list pgsql-bugs

From	Craig Ringer
Subject	Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Date	May 26, 2010 05:33:18
Msg-id	4BFCB20F.2030308@postnewspapers.com.au Whole thread Raw
In response to	Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

On 26/05/10 11:01, Tom Lane wrote:
> In principle, you could have the server and clients using totally
> nonoverlapping sets of trusted CAs (nonoverlapping root.crt lists),
> as long as each can chain its identity up to a CA the other trusts.
> So it's all nice and symmetrical.

... and it's exactly this cases that confuses keystore based clients
that may have multiple certs installed.

See the self-contained test case here:

  http://www.postnewspapers.com.au/~craig/testcase.zip

... which includes a Pg datadir and configuration, the certificate
authority, the certificates, a detailed log of test case setup, the test
programs, logs of test output along with explanation of those logs, etc.

--
Craig Ringer

Tech-related writing: http://soapyfrogs.blogspot.com/

pgsql-bugs by date:

From: Mark Kirkwood
Date: 26 May 2010, 04:14:31
Subject: Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation

From: Daniele Varrazzo
Date: 26 May 2010, 11:58:26
Subject: Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation

Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request - Mailing list pgsql-bugs

Previous

Next