Re: Correction of intermediate certificate handling

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Bruce Momjian <[email protected]>
To: Peter Eisentraut <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: PostgreSQL-documentation <[email protected]>
Cc: Stephen Frost <[email protected]>
Cc: David Steele <[email protected]>
Subject: Re: Correction of intermediate certificate handling
Date: Fri, 26 Jan 2018 08:09:30 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote:
> On 1/16/18 00:33, Michael Paquier wrote:
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
> 
> The tests already cover this:
> 
> # intermediate client_ca.crt is provided by client, and isn't in
> server's ssl_ca_file
> switch_server_cert($node, 'server-cn-only', 'root_ca');
> $common_connstr =
> "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key
> sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
> 
> test_connect_ok($common_connstr,
>     "sslmode=require sslcert=ssl/client+client_ca.crt");
> test_connect_fails($common_connstr, "sslmode=require
> sslcert=ssl/client.crt");
> 
> If you change the Makefile rule for generating the client CA to omit the
> -extensions v3_ca option, then the first test will fail.

Oh, very good!

-- 
  Bruce Momjian  <[email protected]>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

view thread (16+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Correction of intermediate certificate handling
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox