Home > mailing lists

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From	Ian Pilcher
Subject	Re: Trust intermediate CA for client certificates
Date	December 2, 2013 23:22:03
Msg-id	529CEBDD.4060006@gmail.com Whole thread Raw
In response to	Re: Trust intermediate CA for client certificates (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: Trust intermediate CA for client certificates Re: Trust intermediate CA for client certificates Re: Trust intermediate CA for client certificates
List	pgsql-hackers

Tree view

On 12/02/2013 02:17 PM, Tom Lane wrote:
> Ian Pilcher <arequipeno@gmail.com> writes:
>> Yes.  And the problem is that there is no way to prevent OpenSSL from
>> accepting intermediate certificates supplied by the client.  As a
>> result, the server cannot accept client certificates signed by one
>> intermediate CA without also accepting *any* client certificate that can
>> present a chain back to the root CA.
> 
> Isn't that sort of the point?
> 

I'm not sure what you're asking.  The desired behavior (IMO) would be to
accept client certificates signed by some intermediate CAs without
accepting any client certificate that can present a chain back to the
trusted root.  This is currently not possible, mainly due to the way
that OpenSSL works.

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com          Sent from the cloud -- where it's
alreadytomorrow
 
========================================================================

pgsql-hackers by date:

From: Dimitri Fontaine
Date: 02 December 2013, 23:18:41
Subject: Re: Extension Templates S03E11

From: Alvaro Herrera
Date: 02 December 2013, 23:28:09
Subject: Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist

Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

Previous

Next