low connections when the
client presents a certificate signed by a particular intermediate CA?
AFAIK, there is currently no way to do this.
--
========
Ian Pilcher arequip...@gmail.com
On 12/02/2013 02:32 PM, Tom Lane wrote:
> Ian Pilcher writes:
>> I'm not sure what you're asking. The desired behavior (IMO) would be to
>> accept client certificates signed by some intermediate CAs without
>> accepting any client certificate that can present a ch
n
that currently surrounds the issue.
--
========
Ian Pilcher arequip...@gmail.com
Sent from the cloud -- where it's already tomorrow
--
Sent via pgsql-hackers maili
On 12/02/2013 02:17 PM, Tom Lane wrote:
> Ian Pilcher writes:
>> Yes. And the problem is that there is no way to prevent OpenSSL from
>> accepting intermediate certificates supplied by the client. As a
>> result, the server cannot accept client certificates signed by o
TLS for the win?
--
============
Ian Pilcher arequip...@gmail.com
Sent from the cloud -- where it's already tomorrow
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org
is configuration, the test client is able to connect with the
"good" client certificate, but it is also able to connect with the "bad"
client certificate when it presents a certificate chain that includes
the server CA certificate.
--
========
enSSL discover it that way, but it looks like
> OpenSSL won't use certs it's seen in server.crt when verifying client
> cert trust paths.
Nope. It's pretty obvious from be-secure.c that only the certificates
in root.crt will be used.
--
validates certificates, I do not believe that there is any way of
achieving the desired behavior with the current codebase.
Adding pgsql-hackers to see if there is any interest in a patch to add
this functionality.
--
Ian Pil
