BUG #15137: X509 auth breaks in CA has extendedKeyUsage
| От | PG Bug reporting form |
|---|---|
| Тема | BUG #15137: X509 auth breaks in CA has extendedKeyUsage |
| Дата | |
| Msg-id | 152241548992.6324.5143838178015534589@wrigleys.postgresql.org обсуждение исходный текст |
| Список | pgsql-bugs |
The following bug has been logged on the website: Bug reference: 15137 Logged by: cocowalla Email address: colin.anderson333+pgsql@gmail.com PostgreSQL version: 10.2 Operating system: Debian Description: I've setup my own X509 CA for testing. If the `extendedKeyUsage` flags is set to a custom OID in the CA certificate, Postgres is unable to verify any client certificates. I see this in the logs, and clients cannot connect: Could not accept SSL connection: certificate verify failed Sample openssl config snippet: [ ca_extensions ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = keyCertSign,cRLSign,digitalSignature extendedKeyUsage = 1.3.6.1.4.1.12345.1.2 And the command used to generate the CA: openssl req -new -x509 -sha256 -subj "/O=Acme/OU=Acme/emailAddress=support@acme.com/CN=MyCA" -keyout "CA.key" -out "CA.crt" -days 7300 -newkey rsa:2048 -extensions ca_extensions
В списке pgsql-bugs по дате отправления: