On Wed, 07 Sep 2011 13:49:30 +0200, Asia wrote:
I think problem is as follows, server sends to client certificates
it
can accept (as accepted parents), without intermediate CA, Java sees
only top-level cert and tries to find client cert issued directly by
top-level CA, I may only assume, that without intermediate CA you
will
be able to auth against any cert signed by top-level CA (this may
cause
small security hole as well).
I think this is not needed, but I suggest You too check cert
"policies"
with v3 extensions.
Java is really pedantic, about security.
Regards,
Radek
The problem is that I believe that this configuration could be better
but I cannot put part
of CA chain in root.crt as it was advised.
For Java it all depends on current SSL Factory implementation, I was
using the default one.
If I wrote my own implementation I would probably be able to have
common with libpq,
requiring the least info, configuration (but actually I would prefer
to avoid it).
Kind regards,
Joanna
I personally haven't tired SSL for PostgreSQL but, I think, You should
put in root.crt only intermediate certificate (C1 - from prev post), so
all and only all "sub-certs" of intermediate CA will be able to
establish connection (paranoic security).
Putting intermediate CAs as trusted in Java keystore may be solution,
but I'm not sure if in situation of cert invalidation, such cert will be
rejected.
If you want to write SSL Factory, you should re-implement KeyManager
only, to give ability of extended search.
Regards,
Radek
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general