Re: Trust intermediate CA for client certificates
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 529CFA6A.2070608@dunslane.net обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On 12/02/2013 04:17 PM, Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: >> Sorry, I should have said: >> Tom is saying that for his openssl version, a client that passed >> an intermediate certificate had to supply a certificate _matching_ >> something in the remote root.crt, not just signed by it. >> At least I think that was the issue, rather than requiring the client to >> supply a "root" certificate, meaning the client can supply an >> intermediate or root certificicate, as long as it appears in the >> root.crt file on the remote end. > As far as the server is concerned, anything listed in its root.crt *is* a > trusted root CA. Doesn't matter if it's a child of some other CA. > > The issue is that the client's cert has to be linked to some element of > root.crt somehow. In principle you'd think that if the client provides > an intermediate CA cert, the server should be able to match that to > whichever root.crt member signed it, but that wasn't what I saw > happening. It'd be good for someone who uses SSL more than I do to > replicate the experiment, though. It's not impossible that I screwed up. > I have a test script I developed when I had some difficulties with intermediate CAs a while back. I'll see if I can clean it up and test this out. cheers andrew
В списке pgsql-hackers по дате отправления: