Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rfK04-00GvbU-21 for pgsql-hackers@arkaria.postgresql.org; Wed, 28 Feb 2024 13:29:32 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rfK02-00Afmq-IE for pgsql-hackers@arkaria.postgresql.org; Wed, 28 Feb 2024 13:29:31 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rfK02-00Afmh-5j for pgsql-hackers@lists.postgresql.org; Wed, 28 Feb 2024 13:29:30 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rfK00-001m0G-7p for pgsql-hackers@lists.postgresql.org; Wed, 28 Feb 2024 13:29:29 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 940102FF2C1E for ; Wed, 28 Feb 2024 14:29:26 +0100 (CET) Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 8384D2E2A262; Wed, 28 Feb 2024 14:29:26 +0100 (CET) Received: from s472.loopia.se (unknown [172.22.191.5]) by s979.loopia.se (Postfix) with ESMTP id 81E2010BC4A8; Wed, 28 Feb 2024 14:29:26 +0100 (CET) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.21 X-Spam-Level: X-Spam-Status: No, score=-1.21 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled Authentication-Results: s472.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=yesql.se Received: from s899.loopia.se ([172.22.191.6]) by s472.loopia.se (s472.loopia.se [172.22.190.12]) (amavisd-new, port 10024) with LMTP id hMP9FYeH4j_u; Wed, 28 Feb 2024 14:29:26 +0100 (CET) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s899.loopia.se (Postfix) with ESMTPSA id CE6FB2C8BA8D; Wed, 28 Feb 2024 14:29:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1709126965; bh=p1aav1rOUmjBDSMd/XgxK2U9bkp2t9hvsdRgXdg34/8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=mrmS3B5X/AWCeiKE90ZecFZR35KPO4QXJkNjLrkxu4OymVAyQdHMhRy0q3dsLKYeF YyjoQgYcmFfxJrJwxFHskK3ju7Y3SYIbl9InAhrvPTy/OSm2V5pmzmnPCxCfo9whVx pi7iQVUXIDTAHunxC9Ea6tcCI6Q96SYtEy2lnLwf5pUQDNu+typ1CuPQ6Qdji731RJ xJlSuo/MboS3pWG6yX2blGOXQGoicqQ7vvlajr1uETlp/dhCT6hG5ZixteG9G6n2xt hSLKokh0hT5sK9Usdoy3dwELEOprlpv4gFrYQchAaPNHGREEYbmFUgIxWdEIqVh4R6 rsYOl2Vzc4DJw== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\)) Subject: Re: Wrong description in server_ca.config and client_ca.config From: Daniel Gustafsson In-Reply-To: <12f4c425-45fe-480f-a692-b3ed82ebcb33@highgo.ca> Date: Wed, 28 Feb 2024 14:29:25 +0100 Cc: Pgsql Hackers Content-Transfer-Encoding: quoted-printable Message-Id: <9F5D3F4F-EEDE-43F6-BFB2-7918F2946DA4@yesql.se> References: <12f4c425-45fe-480f-a692-b3ed82ebcb33@highgo.ca> To: David Zhang X-Mailer: Apple Mail (2.3696.120.41.1.4) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 27 Feb 2024, at 20:38, David Zhang wrote: >=20 > Hi Hackers, >=20 > The current descriptions for server_ca.config and client_ca.config are = not so accurate. For example, one of the descriptions in = server_ca.config states, "This certificate is used to sign server = certificates. It is self-signed." However, the server_ca.crt and = client_ca.crt are actually signed by the root_ca.crt, which is the only = self-signed certificate. IIRC the intent was to say it isn't signed by an official CA, but I = agree it's misleading. > Therefore, it would be more accurate to change it to "This certificate = is used to sign server certificates. It is an Intermediate CA." Agreed. We should perhaps add the "This certificate is self-signed" = sentence to root_ca.conf as well while at it, it's currently only mentioned in sslfiles.mk and adding it to the config would make the documentation = more consistent. > Attached is a patch attempting to fix the description issue. Thanks, I'll have another look and will apply. -- Daniel Gustafsson