On Wed, May 26, 2010 at 10:54:42AM -0400, Tom Lane wrote: > Garick Hamlin <gham...@isc.upenn.edu> writes: > > I am guessing the problem is that validating the presented chain is hard? > > No, the problem is that the current libpq code fails to present the > chain at all. It will only load and send the first cert in the > postgresql.crt file. This works only when the client's cert is signed > directly by one of the CAs trusted by the server.
Sorry, I just re-read your original message. You were clear, but I read it wrong. This is much less limiting than what I thought was being suggested. Having a user's credentials work with only one trust anchor isn't that bad. I am not familiar enough with openssl to know if there is a specific pitfall to the change you suggested (which I think was what you were asking).. One could make it work with multiple TAs in a similar fashion if it also checked for the existence of a directory (like: ~/.postgresql/client_ta ) to store chains to each supported TA by fingerprint. That might not be worth the effort at this point... Garick > > regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers