public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bruce Momjian <[email protected]>
To: Michael Paquier <[email protected]>
Cc: PostgreSQL-documentation <[email protected]>
Cc: Stephen Frost <[email protected]>
Cc: David Steele <[email protected]>
Subject: Re: Correction of intermediate certificate handling
Date: Tue, 16 Jan 2018 11:21:22 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > My talk documents this behavior. In this talk:
> >
> > https://momjian.us/main/writings/pgsql/tls.pdf
> >
> > slide 47 and 49 use -extensions v3_ca. Slides 73 and 74 show that the
> > intermediate is not needed on the client if it is created with v3_ca and
> > exist on the server. Slide 75 shows that the server certificate must be
> > first in server.crt.
> >
> > I have created the attached doc patch to add this information to our
> > docs. I would like to backpatch this since what we have now, while it
> > works, is inaccurate.
>
> I have spent some time looking at your patch, this gets a +1 from here.
Thanks.
> This bit is important. I am happy that your patch mentions that
> intermediate certificates avoid the need to store root ones on the
> client. Should the docs mention terms like "chain of trust"?
I think the question is how much do we want to "teach" people in our
docs. We do oddly but wisely link from our docs to HP OpenVMS docs
about how the chain of trust works:
http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
I will write up a paragraph about the concepts for our docs for the
group's review.
> Perhaps the docs could also include an example of command to create a
> root and an intermediate certificate in runtime.sgml or such?
Yes, I have thought about that. My presentation has clear examples that
we can use, again based on Stephen and David's scripts using v3_ca. I
will work up a possible patch for that too.
> On top of that, src/test/ssl does not provide any kind of coverage for
> that. It would be an area of improvement for those tests.
Wow, I have no idea how to do that. Let me look. Seems I have more
work to do.
Instead of appending to this doc patch, I will work on a second one for
review.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
view thread (16+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Correction of intermediate certificate handling
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox