On Wed, 07 Sep 2011 12:03:45 +0200, Asia wrote:
Asia <asia123321@xxxxx> writes:
> I would expect to have only one top-level CA cert in server's and
client's root.crt and it was not possible to configure with 2-level
intermediate CA.
This seems a little confused, since in your previous message you
stated
that libpq worked correctly and JDBC did not, and now you seem to be
saying the opposite.
As far as libpq goes, I would expect it to function correctly in 9.0
and
up (and it did function correctly, last I tested it). Previous
releases
will not do this nicely, for lack of this patch:
http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=4ed4b6c54
regards, tom lane
I apologise then, it seems I was not clear enough when explaining my
issue.
I am using PostgreSQL, version 9.0.
I have all of it (libpq and jdbc) working, however I have some doubts
about the correctness of my configuration.
The situation is more or less like following:
Client intermediate CA (root.crt): C1 -> C2, Client cert: C1 -> C2
->C3
Server intermediate CA (root.crt): C1 -> S1, Server Cert: C1 -> S1 ->
S2
I always use clientcert=1 in pg_hba to force mutual SSL.
Now with the above configuration libpq connects fine. But when I
tried to use jdbc it requires me to append client's intermediate CA -
"C1 -> C2"
to server's root.crt. So server's root.crt content looks like
follows:
C1 -> S1 -> C1 -> C2
Then jdbc conenction works fine and the change does not affect libpq
- it works fine like before.
So my point was general why the behavior for libpq and jdbc driver is
not common (probably we would need some custom implementation of Java
SSL facory
for PostgreSQL) - both types of connection have different cert
configuration what I believe could be better when it was common.
And the second issue is that you wrote that it should be enough to
put to-level CA certs. So I left only C1 in server's root.crt,
restarted server
and received following error during connection:
SSL error: certificate verify failed
The question is how to do it correctly?
Please advise.
Kind regards,
Joanna
I think problem is as follows, server sends to client certificates it
can accept (as accepted parents), without intermediate CA, Java sees
only top-level cert and tries to find client cert issued directly by
top-level CA, I may only assume, that without intermediate CA you will
be able to auth against any cert signed by top-level CA (this may cause
small security hole as well).
I think this is not needed, but I suggest You too check cert "policies"
with v3 extensions.
Java is really pedantic, about security.
Regards,
Radek
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
