Re: SSL certificates issue - Mailing list pgsql-general

From Radosław Smogura
Subject Re: SSL certificates issue
Date
Msg-id 8d5ed95a5242ec6dc639d24ff94d490d@mail.softperience.eu
Whole thread Raw
In response to Re: SSL certificates issue  (Asia <asia123321@op.pl>)
List pgsql-general
On Wed, 07 Sep 2011 13:49:30 +0200, Asia wrote:
>>
>> I think problem is as follows, server sends to client certificates
>> it
>> can accept (as accepted parents), without intermediate CA, Java sees
>> only top-level cert and tries to find client cert issued directly by
>> top-level CA, I may only assume, that without intermediate CA you
>> will
>> be able to auth against any cert signed by top-level CA (this may
>> cause
>> small security hole as well).
>>
>> I think this is not needed, but I suggest You too check cert
>> "policies"
>> with v3 extensions.
>>
>> Java is really pedantic, about security.
>>
>> Regards,
>> Radek
>>
>
>
> The problem is that I believe that this configuration could be better
> but I cannot put part
> of CA chain in root.crt as it was advised.
> For Java it all depends on current SSL Factory implementation, I was
> using the default one.
> If I wrote my own implementation I would probably be able to have
> common with libpq,
> requiring the least info, configuration (but actually I would prefer
> to avoid it).
>
> Kind regards,
> Joanna

I personally haven't tired SSL for PostgreSQL but, I think, You should
put in root.crt only intermediate certificate (C1 - from prev post), so
all and only all "sub-certs" of intermediate CA will be able to
establish connection (paranoic security).

Putting intermediate CAs as trusted in Java keystore may be solution,
but I'm not sure if in situation of cert invalidation, such cert will be
rejected.

If you want to write SSL Factory, you should re-implement KeyManager
only, to give ability of extended search.

Regards,
Radek

pgsql-general by date:

Previous
From: Alex Lai
Date:
Subject: Re: Demoting master to slave without an rsync...is it safe?
Next
From: Adrian Klaver
Date:
Subject: Re: SSL certificates issue