On Sun, Mar 25, 2007 at 10:01:20PM -0400, Tom Lane wrote:
> I looked more closely and you are right: if the server does not have
> a root.crt file then it doesn't send its server cert to the client,
> and so there's no way for the client to verify the cert.
Eh? ssldump shows otherwise here with 8.2.3. Here's a connection
where the server has server.key and server.crt but no root.crt, and
the client has the root.crt that signed server.crt and nothing else
in ~/.postgresql:
1 1 0.0338 (0.0338) C>S Handshake ClientHello
1 2 0.5179 (0.4841) S>C Handshake ServerHello
1 3 0.5179 (0.0000) S>C Handshake Certificate
1 4 0.5181 (0.0001) S>C Handshake ServerKeyExchange
1 5 0.5181 (0.0000) S>C Handshake ServerHelloDone
1 6 0.6115 (0.0934) C>S Handshake ClientKeyExchange
1 7 0.6115 (0.0000) C>S ChangeCipherSpec
1 8 0.6115 (0.0000) C>S Handshake
1 9 0.9605 (0.3489) S>C ChangeCipherSpec
1 10 0.9605 (0.0000) S>C Handshake
The client is now connected with DHE-RSA-AES256-SHA.
Here's a dump with the same server configuration (server.key, server.crt,
no root.crt) but now the client has a different root.crt than the one
that signed server.crt:
1 1 0.0335 (0.0335) C>S Handshake ClientHello
1 2 0.5626 (0.5290) S>C Handshake ServerHello
1 3 0.5626 (0.0000) S>C Handshake Certificate
1 4 0.5628 (0.0001) S>C Handshake ServerKeyExchange
1 5 0.5628 (0.0000) S>C Handshake ServerHelloDone
1 6 0.5644 (0.0016) C>S Alert fatal unknown_ca
If the client has PGSSLMODE set to "require" then the connection
fails at the client with "psql: SSL error: certificate verify failed"
and the server logs "could not accept SSL connection: tlsv1 alert
unknown ca".
Did you run any tests? If so, how did you generate the server's
certificate?
--
Michael Fuhr