Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ef3lD-0006Xv-Lg
	for pgsql-docs@arkaria.postgresql.org; Fri, 26 Jan 2018 13:09:39 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-docs-owner+archive@lists.postgresql.org>)
	id 1ef3lB-00088a-IF
	for pgsql-docs@arkaria.postgresql.org; Fri, 26 Jan 2018 13:09:37 +0000
Received: from makus.postgresql.org ([2001:4800:1501:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <bruce@momjian.us>)
	id 1ef3lB-00088L-9Q
	for pgsql-docs@lists.postgresql.org; Fri, 26 Jan 2018 13:09:37 +0000
Received: from momjian.us ([72.94.173.45])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <bruce@momjian.us>)
	id 1ef3l7-0007u8-08
	for pgsql-docs@postgresql.org; Fri, 26 Jan 2018 13:09:35 +0000
Received: from bruce by momjian.us with local (Exim 4.84_2)
	(envelope-from <bruce@momjian.us>)
	id 1ef3l4-0002Xh-NM; Fri, 26 Jan 2018 08:09:30 -0500
Date: Fri, 26 Jan 2018 08:09:30 -0500
From: Bruce Momjian <bruce@momjian.us>
To: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Cc: Michael Paquier <michael.paquier@gmail.com>,
	PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	Stephen Frost <sfrost@snowman.net>,
	David Steele <david@pgmasters.net>
Subject: Re: Correction of intermediate certificate handling
Message-ID: <20180126130930.GD20836@momjian.us>
References: <20180116002238.GC12724@momjian.us>
 <20180116053305.GB2212@paquier.xyz>
 <b5d4873a-ff77-b6f6-fd66-f725e5bc343d@2ndquadrant.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b5d4873a-ff77-b6f6-fd66-f725e5bc343d@2ndquadrant.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
List-Id: <pgsql-docs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-docs@lists.postgresql.org>
List-Owner: <mailto:pgsql-docs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-docs>
Precedence: bulk

On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote:
> On 1/16/18 00:33, Michael Paquier wrote:
> > On top of that, src/test/ssl does not provide any kind of coverage for
> > that. It would be an area of improvement for those tests.
> 
> The tests already cover this:
> 
> # intermediate client_ca.crt is provided by client, and isn't in
> server's ssl_ca_file
> switch_server_cert($node, 'server-cn-only', 'root_ca');
> $common_connstr =
> "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key
> sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
> 
> test_connect_ok($common_connstr,
>     "sslmode=require sslcert=ssl/client+client_ca.crt");
> test_connect_fails($common_connstr, "sslmode=require
> sslcert=ssl/client.crt");
> 
> If you change the Makefile rule for generating the client CA to omit the
> -extensions v3_ca option, then the first test will fail.

Oh, very good!

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +