On Tue, May 25, 2010 at 17:48, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Craig Ringer <craig@postnewspapers.com.au> writes:
>> Bug 5245 is not the same issue. They're talking about the server not
>> sending the full certificate chain for the cert that identifies the
>> server (server.crt). It's nothing to do with client certificates.
>> Without the full chain, the client can't verify the server unless it
>> happens to already have the intermediate certs between the server's cert
>> and the trusted root that signed it installed locally. I haven't
>> encountered #5245 myself, but will test it shortly to verify. It'd
>> certainly count as a significant bug, as it would make it impossible to
>> use indirect trust to verify a server (as is the case when a corporate
>> CA signed by a "big name" CA is in use).
>
> BTW, does anyone know exactly how to fix that? =A0I'm looking at a related
> request internal to Red Hat right now.
I have it on my TODO to figure it out, but from what I can tell it's
very close to being undocumented, like most of OpenSSL. So it will
need research of how others do it, etc. Unless someone can figure out
how to do it, and I can stick to juts reviewing it, there is pretty
much zero chance that I can get that done for 9.0 (even if we call it
a bugfix) due to lack of time over the next couple of weeks.
(and yes, I intend to get back in on the rest of this thread as well
once I've cleared my pgcon-induced backlog)
--=20
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/