Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eevAu-0004mM-L4 for pgsql-docs@arkaria.postgresql.org; Fri, 26 Jan 2018 03:59:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eevAs-0001aA-JL for pgsql-docs@arkaria.postgresql.org; Fri, 26 Jan 2018 03:59:34 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1eevAr-0001Zz-Qq for pgsql-docs@lists.postgresql.org; Fri, 26 Jan 2018 03:59:34 +0000 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1eevAj-0004mO-P8 for pgsql-docs@postgresql.org; Fri, 26 Jan 2018 03:59:31 +0000 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 12EC420B93; Thu, 25 Jan 2018 22:59:24 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute7.internal (MEProxy); Thu, 25 Jan 2018 22:59:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=2Qu5EL KbDP1x5Bo9mRLaHaRxytSN1dakBpXg+Hypr5A=; b=o80P5A5S0q2T3euKTQ5usl nPbsGil/KVjNFxiR0uRyjEq6FIeJiK9bDnGJPzwqYs7KBRsnTxZwbUyDVwBV1gML XyEq8ossquK/qLVBP30Dt423W5awWCPSV31YvJyLF3TpWqJbVER9MJQ03VgXlQbr rvYtX5rUb09tYeXGHh2CEaZEZwMj0ul0tI8gAHAr2g7x0UKDgE1+FBl8+lDj2Gga tXjHitMVQCLbxOIoanXdOPCaEUNo6KAbjKb9GQLrLO3ltuYTUlscFQE4vX6T3FbP M7WqIM5SCmMWP2sJPMrAa17ZzjgNRryHvkwRazOooEwZuISpb5rzLEYMN0Xx3/XA == X-ME-Sender: Received: from april.local (c-73-13-66-39.hsd1.pa.comcast.net [73.13.66.39]) by mail.messagingengine.com (Postfix) with ESMTPA id B8827241E0; Thu, 25 Jan 2018 22:59:23 -0500 (EST) Subject: Re: Correction of intermediate certificate handling To: Michael Paquier , Bruce Momjian References: <20180116002238.GC12724@momjian.us> <20180116053305.GB2212@paquier.xyz> Cc: PostgreSQL-documentation , Stephen Frost , David Steele From: Peter Eisentraut Organization: 2ndQuadrant Message-ID: Date: Thu, 25 Jan 2018 22:59:23 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <20180116053305.GB2212@paquier.xyz> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk On 1/16/18 00:33, Michael Paquier wrote: > On top of that, src/test/ssl does not provide any kind of coverage for > that. It would be an area of improvement for those tests. The tests already cover this: # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, 'server-cn-only', 'root_ca'); $common_connstr = "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; test_connect_ok($common_connstr, "sslmode=require sslcert=ssl/client+client_ca.crt"); test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt"); If you change the Makefile rule for generating the client CA to omit the -extensions v3_ca option, then the first test will fail. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services