Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
| От | Craig Ringer |
|---|---|
| Тема | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Дата | |
| Msg-id | 4BFC5C93.40406@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request
Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |
| Список | pgsql-bugs |
On 25/05/10 23:48, Tom Lane wrote: > Craig Ringer<craig@postnewspapers.com.au> writes: >> Bug 5245 is not the same issue. They're talking about the server not >> sending the full certificate chain for the cert that identifies the >> server (server.crt). It's nothing to do with client certificates. >> Without the full chain, the client can't verify the server unless it >> happens to already have the intermediate certs between the server's cert >> and the trusted root that signed it installed locally. I haven't >> encountered #5245 myself, but will test it shortly to verify. It'd >> certainly count as a significant bug, as it would make it impossible to >> use indirect trust to verify a server (as is the case when a corporate >> CA signed by a "big name" CA is in use). > > BTW, does anyone know exactly how to fix that? I'm looking at a related > request internal to Red Hat right now. The first thing to test is whether concatenating the root cert onto the server cert in 'server.crt' does the trick. Though, really, OpenSSL should do the right thing automatically so long as it has the CA certificate loaded. Certainly my (patched) server is doing the right thing and sending the certificate. I'm 99% sure it did so before patching, though, just from having root.crt installed. However, this only works because the CA I want to validate clients against happens to be the same CA that signed my server's certificate, which is frequently *not* the case. I do *not* have the CA cert concatenated onto server.crt. I'll have to see if that works, because that's how it's usually done with OpenSSL. BTW, the little Java app I posted for client certifiate testing will let you get detailed tracing of a Pg SSL connection. Just run it with the default sslsocketfactory and no client cert: java -jar PgClientCertDemo.jar default '' '' '' \ jdbc:postgresql://YOURSERVER/YOURDATABASE?ssl=true&user=blah&password=blah and you'll get detailed trace information (possibly followed by an exception if it couldn't negotiate for some reason). Search for 'ServerHello' to find the start of the area of interest in the negotiation. Search for 'chain [' to find the server certificate chain entries. -- Craig Ringer
В списке pgsql-bugs по дате отправления: