On 12/02/2013 03:21 PM, Ian Pilcher wrote:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
>> Ian Pilcher <arequipeno@gmail.com> writes:
>>> Yes. And the problem is that there is no way to prevent OpenSSL from
>>> accepting intermediate certificates supplied by the client. As a
>>> result, the server cannot accept client certificates signed by one
>>> intermediate CA without also accepting *any* client certificate that can
>>> present a chain back to the root CA.
>> Isn't that sort of the point?
>>
> I'm not sure what you're asking. The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root. This is currently not possible, mainly due to the way
> that OpenSSL works.
>
Wouldn't that amount to only partially trusting the root? It seems kinda
odd. In any case, It's not something I think Postgres needs to solve.
cheers
andrew