Ian Pilcher <arequipeno@gmail.com> writes:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
>> Isn't that sort of the point?
> I'm not sure what you're asking. The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root. This is currently not possible, mainly due to the way
> that OpenSSL works.
That notion seems pretty bogus to me. If you don't trust the root CA to
not hand out child CA certs to untrustworthy people, then you don't really
trust the root CA, do you? You should just list the certs of the
intermediate CAs you *do* trust in the server's root.crt.
In any case, the idea that this is somehow OpenSSL's fault and another
implementation of the same protocol wouldn't have the same issue sounds
pretty silly.
regards, tom lane