Bruce Momjian <bruce@momjian.us> writes:
> Sorry, I should have said:
> Tom is saying that for his openssl version, a client that passed
> an intermediate certificate had to supply a certificate _matching_
> something in the remote root.crt, not just signed by it.
> At least I think that was the issue, rather than requiring the client to
> supply a "root" certificate, meaning the client can supply an
> intermediate or root certificicate, as long as it appears in the
> root.crt file on the remote end.
As far as the server is concerned, anything listed in its root.crt *is* a
trusted root CA. Doesn't matter if it's a child of some other CA.
The issue is that the client's cert has to be linked to some element of
root.crt somehow. In principle you'd think that if the client provides
an intermediate CA cert, the server should be able to match that to
whichever root.crt member signed it, but that wasn't what I saw
happening. It'd be good for someone who uses SSL more than I do to
replicate the experiment, though. It's not impossible that I screwed up.
regards, tom lane