Thread: BUG #15137: X509 auth breaks in CA has extendedKeyUsage

BUG #15137: X509 auth breaks in CA has extendedKeyUsage

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      15137
Logged by:          cocowalla
Email address:      colin.anderson333+pgsql@gmail.com
PostgreSQL version: 10.2
Operating system:   Debian
Description:

I've setup my own X509 CA for testing. If the `extendedKeyUsage` flags is
set to a custom OID in the CA certificate, Postgres is unable to verify any
client certificates.

I see this in the logs, and clients cannot connect:

  Could not accept SSL connection: certificate verify failed

Sample openssl config snippet:

[ ca_extensions ]
basicConstraints       = CA:true
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = keyCertSign,cRLSign,digitalSignature
extendedKeyUsage       = 1.3.6.1.4.1.12345.1.2

And the command used to generate the CA:
openssl req -new -x509 -sha256 -subj
"/O=Acme/OU=Acme/emailAddress=support@acme.com/CN=MyCA" -keyout "CA.key"
-out "CA.crt" -days 7300 -newkey rsa:2048 -extensions ca_extensions