Re: Trust intermediate CA for client certificates

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: Trust intermediate CA for client certificates
Дата
Msg-id 20131202194500.GH5274@momjian.us
обсуждение исходный текст
Ответ на Re: Trust intermediate CA for client certificates  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Trust intermediate CA for client certificates
Re: Trust intermediate CA for client certificates
Список pgsql-hackers
Дерево обсуждения 
On Mon, Dec  2, 2013 at 12:59:41PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I have updated the patch, attached, to be clearer about the requirement
> > that intermediate certificates need a chain to root certificates.
> 
> I see that you removed the sentence
> 
>    The root
>    certificate should be included in every case where
>    <filename>postgresql.crt</> contains more than one certificate.
> 
> in both places where it appeared.  I seem to remember that I'd put that
> in on the basis of experimentation, ie it didn't work to provide just
> a partial chain.  You appear to be telling people that it's safe to
> omit the root cert, and I think this is wrong.
> 
> Specifically, rather than the text "trusted by the server, i.e. signed by
> a certificate in the server's <filename>root.crt</filename> file", I think
> you need to say "trusted by the server, i.e., appears in the server's
> <filename>root.crt</filename> file".  Have you experimented with the
> configuration you're proposing, and if so, with which OpenSSL versions?

I am basing the text on the tests done in this thread, though I can test
it myself too (though I have not yet).  This email indicates we only
need the client cert in the client, not the chain to root:
http://www.postgresql.org/message-id/5146A103.8080609@2ndquadrant.com
OK, we're good now, the server is sending us the intermediate cert werequire. Regular non-client-cert verified SSL is
fine. Examination ofthe protocol chat shows that the server is sending a Server Hello with aCertificate message
containingthe server and intermdediate certificateDNs:
 

It can get the root and intermediate from the server, hence the "signed
by" rather than "appears" wording.  This text indicates also that the
client doesn't have to have the certificate chain to the root:
http://www.postgresql.org/message-id/514A9DDF.3050702@2ndquadrant.comDrat, you're quite right. I've always included the
fullcertificatechain in client certs but it's in no way required.
 

I don't fully understand the issues but the discussion seens to indicate
this.  Am I missing something?  Should I run some tests?

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Alvaro Herrera
Дата:
Сообщение: Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist
Следующее
От: Robert Haas
Дата:
Сообщение: Re: Extension Templates S03E11