Re: no verification of client certificate?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tom Lane <[email protected]>
To: Ray Stell <[email protected]>
Cc: [email protected]
Subject: Re: no verification of client certificate?
Date: Sun, 25 Mar 2007 22:01:20 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

Ray Stell <[email protected]> writes:
> On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
>> Ray Stell <[email protected]> writes:
>>> I was hoping to not have to support client certs.  I want
>>> encryption and to verify the server, but no to verify the client.
>>> Does this work and I've got the config wrong?
>> 
>> Maybe I misunderstand what you want --- doesn't leaving out the
>> server's root.crt file do that?

> It doesn't look like it to me.  I hope you can steer me back.

I looked more closely and you are right: if the server does not have
a root.crt file then it doesn't send its server cert to the client,
and so there's no way for the client to verify the cert.  Whereas if
it does have root.crt then it insists on verifying the client's cert.
This seems to be a restriction of OpenSSL: sending of the server cert is
implicitly enabled by enabling checking of client certs using root.crt.
Perhaps there's a way around that, but it'll take more knowledge of
OpenSSL than I have to fix it.

Offhand your desire doesn't seem completely unreasonable, so perhaps
there is a way to get OpenSSL to do it that we don't know about.
Bruce, would you add something to the TODO list?

* Support SSL configurations in which client checks server's cert but
  not vice versa.

			regards, tom lane

view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: no verification of client certificate?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox