Re: Trust intermediate CA for client certificates

* Ian Pilcher (arequipeno@gmail.com) wrote:
> > In any case, the idea that this is somehow OpenSSL's fault and another
> > implementation of the same protocol wouldn't have the same issue sounds
> > pretty silly.
>
> Actually other implementations do this.  In fact, a flag was added to
> OpenSSL fairly recently to allow validating a chain only up to an
> intermediate CA for this very reason.

Perhaps that's been a recent change, but it certainly wasn't part of the
original approach and complaining that PG doesn't do it is hardly fair.
Indeed, it sounds like this is something which should *still* be done
outside of PG and through however you configure OpenSSL on your system.

Regardless, it's completely off-topic for this discussion, which is
about documenting what we *currently* do.  If you'd like to propose a
new set of features, or better yet, a rework of how we configure SSL in
PG, please do so on another thread. :)
Thanks!
    Stephen