Re: Trust intermediate CA for client certificates

On Mon, Dec  2, 2013 at 04:56:56PM -0500, Stephen Frost wrote:
> * Ian Pilcher (arequipeno@gmail.com) wrote:
> > > In any case, the idea that this is somehow OpenSSL's fault and another
> > > implementation of the same protocol wouldn't have the same issue sounds
> > > pretty silly.
> > 
> > Actually other implementations do this.  In fact, a flag was added to
> > OpenSSL fairly recently to allow validating a chain only up to an
> > intermediate CA for this very reason.
> 
> Perhaps that's been a recent change, but it certainly wasn't part of the
> original approach and complaining that PG doesn't do it is hardly fair.
> Indeed, it sounds like this is something which should *still* be done
> outside of PG and through however you configure OpenSSL on your system.
> 
> Regardless, it's completely off-topic for this discussion, which is
> about documenting what we *currently* do.  If you'd like to propose a
> new set of features, or better yet, a rework of how we configure SSL in
> PG, please do so on another thread. :)

Uh, this thread actually started with Ian's feature request, and has
changed to document the current behavior.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +