Re: [HACKERS] Trust intermediate CA for client certificates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/19/2013 09:46 PM, Stephen Frost wrote:
> * Craig Ringer (craig@2ndquadrant.com) wrote:
>> As far as I'm concerned that's the immediate problem fixed. It may be
>> worth adding a warning on startup if we find non-self-signed certs in
>> root.crt too, something like 'WARNING: Intermediate certificate found in
>> root.crt. This does not do what you expect and your configuration may be
>> insecure; see the Client Certificates chapter in the documentation.'
>
> I'm not sure that I follow this logic, unless you're proposing that
> intermediate CAs only be allowed to be picked up from system-wide
> configuration? That strikes me as overly constrained as I imagine there
> are valid configurations today which have intermediate CAs listed, with
> the intention that they be available for PG to build the chain from a
> client cert that is presented back up to the root. Now, the client
> might be able to provide such an intermediate CA cert too (one of the
> fun things about SSL is that the client can send any 'missing' certs to
> the server, if it has them available..), but it also might not.
>

Drat, you're quite right. I've always included the full certificate
chain in client certs but it's in no way required.

I guess that pretty much means mainaining the status quo and documenting
it better.

- --
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRSp3fAAoJELBXNkqjr+S2+JYH+wUo2mCMB2n3/mXo24l0rO5+
mxS6d9uJNIZZErZX2I/NfY59kLX1ypUAeGhQnCSOZuxig6Xd91nXzRdkaQF/+WHa
9hEAXbOtl7bMgj8cEIfloQlSU94VXamH53i5YL5ZVLqkQG/7uknY05NbJs3IGM5g
ALrEgo3XOC8JyUz21hZzaQOb2vbdSh0F0O17EoJz1fLY6l5ScFnLWihKYurp5Oq0
em1bsN0GKckmSa7a9mJ37Hvowi92epbtF4XR1DyrQGOHQSCLq0NnCthA5MtdPXN0
+BJQWZfx0qcRcrHMILkFa0Uu7Bc9Ao0q06l55DNSyYXx1FWN0cBArGpXcoPb8Zs=
=BAYd
-----END PGP SIGNATURE-----