On 28 Feb 2017, at 21:51, Bruce Momjian wrote:
I have researched this and will post a blog and and document the fix
in
the next few months. The reason you have to supply the entire
certificate chain to the root CA on the client is because you have not
used the "-extensions v3_ca" flag to openssl when creating the CA x509
request. You have to mark the certificates as CAs so they are passed
from the server to the client. You are looking for the CA
certificates
to say:
X509v3 Basic Constraints:
CA:TRUE
My `ca.cert.pem` file has
X509v3 Basic Constraints: critical
CA:TRUE
The `intermediate.cert.pem` has
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
This intermediate cert was generated using the `v3_intermediate_ca`
extension defined in [1]. I wouldn’t expect *not* to have to give the
full certificate chain to the client, since both were created by me.
To summarise my problem and solution: the connection worked fine until
`ssl_crl_file` was enabled. I was trying to use a CRL generated from the
intermediate CA, assuming PostgreSQL would trust it since it knows about
the full CA chain in `ssl_ca_file`. Apparently, it must be a CRL
generated from the root concatenated to a CRL generated from the
intermediate, and then it works.
[1]:
https://github.com/RazerM/postgres_crl_test/blob/dd9ef3ac4dd74d1cdfc6403899a09d954fd9622a/intermediate-config.txt#L99
Kind regards,
Frazer McLean
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
