Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Ian Pilcher
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 529CE9F7.6090300@gmail.com
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: Trust intermediate CA for client certificates
List pgsql-hackers
On 12/02/2013 02:01 PM, Andrew Dunstan wrote:
> AIUI, you need a complete chain from one end to the other. So the cert
> being checked can include the intermediate cert in what it sends, or it
> can be in the root.crt at the other end, but one way or another, the
> checking end needs a complete chain from a root cert to the cert from
> the other end.

Yes.  And the problem is that there is no way to prevent OpenSSL from
accepting intermediate certificates supplied by the client.  As a
result, the server cannot accept client certificates signed by one
intermediate CA without also accepting *any* client certificate that can
present a chain back to the root CA.

Frankly, this whole conversation reinforces my belief that this behavior
is so counter-intuitive that it really should be changed.

GnuTLS for the win?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com          Sent from the cloud -- where it's
alreadytomorrow
 
========================================================================



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11
Next
From: Dean Rasheed
Date:
Subject: Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist