Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ebbJp-0002Zu-IM
	for pgsql-docs@arkaria.postgresql.org; Wed, 17 Jan 2018 00:11:05 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ebbJn-0008GM-U6
	for pgsql-docs@arkaria.postgresql.org; Wed, 17 Jan 2018 00:11:03 +0000
Received: from makus.postgresql.org ([2001:4800:1501:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <michael.paquier@gmail.com>)
	id 1ebbJn-0008GC-Ic
	for pgsql-docs@lists.postgresql.org; Wed, 17 Jan 2018 00:11:03 +0000
Received: from mail-pl0-f68.google.com ([209.85.160.68])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <michael.paquier@gmail.com>)
	id 1ebbJk-0006NE-61
	for pgsql-docs@postgresql.org; Wed, 17 Jan 2018 00:11:01 +0000
Received: by mail-pl0-f68.google.com with SMTP id q2so7404015pll.3
        for <pgsql-docs@postgresql.org>; Tue, 16 Jan 2018 16:10:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=yL7pQLR+0L4B5pdg/aTJMBFADv5VzFItMC/8LnFk59M=;
        b=E/lKg9/LBppXqtMI16Eo9y7viqpgojliPrKotigY94+yKqnvjIFm8ThK8DnSttXp3M
         EicUrfPvzUy1n+XeFcLNR4vmbgZ4iI+xVMs+leqHSeooJjpS19DwGBgXpTY/FBpk7Xfi
         BEefzBUflZy0gi+jiQ1Lmd9XsBSOdP2b1Adg6LwO/i8o5/dImDCDI5cVAVXVLRY4WB28
         L+HLkPEHdXbmymCg6M3U/S/kmhRLX2LvwCZJa9XJkS0E3HdL3+Zh1t0bcYGnIz4sJF0d
         LmSM+oFOOSeiDZs2ccFYcWGXKWmLtmbo6e3QMZj9Fs5bMhRr9Pe0SJ/BwRIK58VkknKq
         1mzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=yL7pQLR+0L4B5pdg/aTJMBFADv5VzFItMC/8LnFk59M=;
        b=Qos4uvDCRM80MwSNJ/lpOhwk08Pq70UzxXT0k8IWCx0moZWlCv5L4k3Ft8GaalTLe1
         aJLcB/g9LCTGHvf6nqKMuhmyLH5CSkqgy1IyUBsHkVkbIMDhtpLuqJAAyMN4X6LNuXZi
         RmqmaHHRs97nU+aoTpmfpkmAYKdf0StXxoux9hFzp3DCwcEED8xbHTquruIAySjoHfPc
         625AuCBQBKjnQwtrfa7ttY1dHiTqluWAXAcDgYxXwpBT2ziaNVjPTLAi/mVei/nr/RF8
         8Xb+idNXbgLpoJHQG58OTMEq8Ldl7qmTozYYiGSjF4GZGoHlrNDen5B7NJG9869TkQ/V
         Y1xA==
X-Gm-Message-State: AKGB3mL8SgqTmgCPflsBvWxa6Yookj170TTnbg4+1TmR0HS2Ce9aFPRu
	2+yJ1fcRWBZUAh+1m1wEWWw=
X-Google-Smtp-Source: 
 ACJfBos+Fqjs+37bhcYgb74nTRUiZn7S31xPGNxdZL2Ro0CHY6KAckbLb04ELuBx9pqDnnt3FuXKZg==
X-Received: by 10.84.164.104 with SMTP id m37mr31695315plg.398.1516147798471;
        Tue, 16 Jan 2018 16:09:58 -0800 (PST)
Received: from paquier.xyz (c137162.net61215.cablenet.ne.jp. [61.215.137.162])
        by smtp.gmail.com with ESMTPSA id
 l190sm5271308pfc.73.2018.01.16.16.09.54
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 16 Jan 2018 16:09:57 -0800 (PST)
Date: Wed, 17 Jan 2018 09:09:50 +0900
From: Michael Paquier <michael.paquier@gmail.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	Stephen Frost <sfrost@snowman.net>,
	David Steele <david@pgmasters.net>
Subject: Re: Correction of intermediate certificate handling
Message-ID: <20180117000950.GB935@paquier.xyz>
References: <20180116002238.GC12724@momjian.us>
 <20180116053305.GB2212@paquier.xyz>
 <20180116162122.GB1470@momjian.us>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="rS8CxjVDS/+yyDmU"
Content-Disposition: inline
In-Reply-To: <20180116162122.GB1470@momjian.us>
List-Id: <pgsql-docs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-docs@lists.postgresql.org>
List-Owner: <mailto:pgsql-docs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-docs>
Precedence: bulk


--rS8CxjVDS/+yyDmU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > This bit is important. I am happy that your patch mentions that
> > intermediate certificates avoid the need to store root ones on the
> > client. Should the docs mention terms like "chain of trust"?
>=20
> I think the question is how much do we want to "teach" people in our
> docs.  We do oddly but wisely link from our docs to HP OpenVMS docs
> about how the chain of trust works:
>=20
> 	http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
>=20
> I will write up a paragraph about the concepts for our docs for the
> group's review.

As a separate patch, I think that it would be fine as well.

> > Perhaps the docs could also include an example of command to create a
> > root and an intermediate certificate in runtime.sgml or such?
>=20
> Yes, I have thought about that.  My presentation has clear examples that
> we can use, again based on Stephen and David's scripts using v3_ca.  I
> will work up a possible patch for that too.

That too.

> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
>=20
> Wow, I have no idea how to do that.  Let me look.  Seems I have more
> work to do.

You would need to update src/test/ssl/Makefile to generate those
intermediate CAs, and then make ServerSetup::switch_server_cert smarter
in the way the series of certificates are handled. A suggestion I have
would be to create each certificate file separately and change the
routine so as it uses an array in input, the order of the items defining
what's the order the the data. For the client there is sslrootcert, so I
guess that a small routine able to take a set of certs and append them
to a single file would make it as well (switch_server_cert should use
it).

> Instead of appending to this doc patch, I will work on a second one for
> review.

I see nothing pressing here. If you are not familiar with the TAP test
facility, this could give you a good introduction to it.
--
Michael

--rS8CxjVDS/+yyDmU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAlpelE4ACgkQnvQgOdby
QH3tzBAAjN9Y9Fnm7+MLNnB6P+IwjTnoqUqvzlu9Qa4tkDYuZl8BzurfFvly77QN
OsS3C+YXb9D5uxEPvPzt9GE3ioGDCD115mzAMDy9Ne2kKnHK8gir+20d8sewxnzz
ZxEpwa8DUseonb63TwtXJ5S82jC2ofkxsa8KQKW7Ji4r/0Aumt0/w+/+ia0lOxYS
VrbMi0gkgZ90ebpTPV843u5Q5BiwIJbgQn/KTmuUe+OR/v/W9pacURLidC36EXv2
LDI56FPMvwEYSwrb/06ZteADBYuD08ZOUfCmWYp8so8BzWK28UzCquIRa0K83Ach
ztq1wsJKdqh3paugpDOL5kq5yRYP5FAqomkMgH24wfjNnTj7Taan6zwSaQPjwbOf
4D6fSZQKQuJEepEFsQJXHfcty8OhoQYdLr3akVD8/OBs+s7K8xf79a/mbMYxAGAZ
BUZfSt1kgznXIa9FVsOKLci3jOPvoOjk+Pu22aJlLyM+1wJGMdlSAWX1XOPiKRLp
QiyfTlO4Szbi43in6IAktUHbLFwIOuiabansJkUBpuKskcrZkL/XIIkAngnKwpR2
XNpLMa0zgpSLZE0HBlyuiJZbc4bfGTQvf1TUNi4i8ZUfQVmfcQlBx++OwIOt8Zt0
tp1RWUFTQMS/btIHZ4nQ9/dbcGdTU5uFN6Zj4/TVXD0d2Xm8fFM=
=UIv7
-----END PGP SIGNATURE-----

--rS8CxjVDS/+yyDmU--