Thank you for answer! I know it. So, my second questions is: How can I add support of this extension in PostgreSQL. So, I want to do thing, that PostgreSQL accept connection with cert auth method and certificate has my extension with critical flag?
03.04.2014, 04:33, "Wim Lewis" <w...@omnigroup.com>: > On 1 Apr 2014, at 11:38 PM, carriingfat...@ya.ru wrote: > >> I set certificate auth on postgresql 9.3. I generate SSL certificate with >> my custom extension. So, OpenSSL read it, PostgreSQL accept it if this >> extension is not critical, but if I set this extension critical, PostgreSQL >> deny connection. > > I think that is the correct behavior. The "critical" bit tells PostgreSQL (or > other software) what to do if it does not understand the extension: if > there's an unknown extension with the critical bit set, then the certificate > can't be validated. If the critical bit is not set, then the unknown > extension is ignored, and the certificate is processed as if the extension > weren't there. > > See this section of RFC 5280: > http://tools.ietf.org/html/rfc5280#section-4.2 > > The idea is that you can set the critical bit for extensions that are > supposed *restrict* the usability of the certificate, so that the certificate > won't be used in undesired ways by software that doesn't understand the > extension. ---- Best regards, Dmitry Voronin -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
