Re: [HACKERS] Trust intermediate CA for client certificates
Вложения
В списке pgsql-general по дате отправления:
| От | Stephen Frost |
|---|---|
| Тема | Re: [HACKERS] Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 20130318125517.GU4361@tamriel.snowman.net обсуждение |
| Ответ на | Re: [HACKERS] Trust intermediate CA for client certificates (Craig Ringer <craig@2ndquadrant.com>) |
| Ответы |
Re: [HACKERS] Trust intermediate CA for client certificates
|
| Список | pgsql-general |
Craig, all,
* Craig Ringer (craig@2ndquadrant.com) wrote:
> PROBLEM VERIFIED
Let me just say "ugh". I've long wondered why we have things set up in
such a way that the whole chain has to be in one file, but it didn't
occur to me that it'd actually end up causing this issue. In some ways,
I really wonder about this being OpenSSL's fault as much as ours, but I
doubt they'd see it that way. :)
> What we need to happen instead is for root.crt to contain only the
> trusted certificates and have a *separate* file or directory for
> intermediate certificates that OpenSSL can look up to get the
> intermediates it needs to validate client certs, like
> `ssl_ca_chain_file` or `ssl_ca_chain_path` if we want to support
> OpenSSL's hashed certificate directories.
Makes sense to me. I'm not particular about the names, but isn't this
set of CAs generally considered intermediary? Eg: 'trusted', '
intermediate', etc?
Thanks,
Stephen
В списке pgsql-general по дате отправления:
Сайт использует файлы cookie для корректной работы и повышения удобства. Нажимая кнопку «Принять» или продолжая пользоваться сайтом, вы соглашаетесь на их использование в соответствии с Политикой в отношении обработки cookie ООО «ППГ», в том числе на передачу данных из файлов cookie сторонним статистическим и рекламным службам. Вы можете управлять настройками cookie через параметры вашего браузера