Re: what can go in root.crt ? - Mailing list pgsql-hackers

From Chapman Flack
Subject Re: what can go in root.crt ?
Date
Msg-id 5ECC1D64.1000808@anastigmatix.net
Whole thread Raw
In response to what can go in root.crt ?  (Chapman Flack <chap@anastigmatix.net>)
Responses Re: what can go in root.crt ?
Re: what can go in root.crt ?
List pgsql-hackers
On 05/25/20 15:15, Chapman Flack wrote:
> Does that mean it also would fail if I directly put the server's
> end-entity cert there?
> 
> Would I have to put all three of WE ISSUE TO ORGS LIKE YOURS,
> WE ISSUE TO LOTS, and WE ISSUE TO EVERYBODY in the root.crt file
> in order for verification to succeed?
> 
> If I did that, would the effect be any different from simply putting
> WE ISSUE TO EVERYBODY there, as before? Would it then happily accept
> a cert with a chain that ended at WE ISSUE TO EVERYBODY via some other
> path? Is there a way I can accomplish trusting only certs issued by
> WE ISSUE TO ORGS LIKE YOURS?

The client library is the PG 10 one that comes with Ubuntu 18.04
in case it matters.

I think I have just verified that I can't make it work by putting
the end entity cert there either. It is back working again with only
the WE ISSUE TO EVERYBODY cert there, but if there is a workable way
to narrow that grant of trust a teensy little bit, I would be happy
to do that.

Regards,
-Chap



pgsql-hackers by date:

Previous
From: David Fetter
Date:
Subject: Re: Since '2001-09-09 01:46:40'::timestamp microseconds are lostwhen extracting epoch
Next
From: Jeff Davis
Date:
Subject: Re: Trouble with hashagg spill I/O pattern and costing