public inbox for [email protected]
help / color / mirror / Atom feedFrom: Michael Paquier <[email protected]>
To: Bruce Momjian <[email protected]>
Cc: PostgreSQL-documentation <[email protected]>
Cc: Stephen Frost <[email protected]>
Cc: David Steele <[email protected]>
Subject: Re: Correction of intermediate certificate handling
Date: Wed, 17 Jan 2018 09:09:50 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > This bit is important. I am happy that your patch mentions that
> > intermediate certificates avoid the need to store root ones on the
> > client. Should the docs mention terms like "chain of trust"?
>
> I think the question is how much do we want to "teach" people in our
> docs. We do oddly but wisely link from our docs to HP OpenVMS docs
> about how the chain of trust works:
>
> http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
>
> I will write up a paragraph about the concepts for our docs for the
> group's review.
As a separate patch, I think that it would be fine as well.
> > Perhaps the docs could also include an example of command to create a
> > root and an intermediate certificate in runtime.sgml or such?
>
> Yes, I have thought about that. My presentation has clear examples that
> we can use, again based on Stephen and David's scripts using v3_ca. I
> will work up a possible patch for that too.
That too.
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
>
> Wow, I have no idea how to do that. Let me look. Seems I have more
> work to do.
You would need to update src/test/ssl/Makefile to generate those
intermediate CAs, and then make ServerSetup::switch_server_cert smarter
in the way the series of certificates are handled. A suggestion I have
would be to create each certificate file separately and change the
routine so as it uses an array in input, the order of the items defining
what's the order the the data. For the client there is sslrootcert, so I
guess that a small routine able to take a set of certs and append them
to a single file would make it as well (switch_server_cert should use
it).
> Instead of appending to this doc patch, I will work on a second one for
> review.
I see nothing pressing here. If you are not familiar with the TAP test
facility, this could give you a good introduction to it.
--
Michael
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
view thread (16+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Correction of intermediate certificate handling
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox