Asia <asia123321@xxxxx> Wednesday 07 of September 2011 16:00:39 > > I personally haven't tired SSL for PostgreSQL but, I think, You should > > put in root.crt only intermediate certificate (C1 - from prev post), so > > all and only all "sub-certs" of intermediate CA will be able to > > establish connection (paranoic security). > > > > Putting intermediate CAs as trusted in Java keystore may be solution, > > but I'm not sure if in situation of cert invalidation, such cert will be > > rejected. > > > > If you want to write SSL Factory, you should re-implement KeyManager > > only, to give ability of extended search. > > > > Regards, > > Radek > > I have already tried with only C1 in root.crt but unfortunately it does > not work. I get error message that cert is invalid. It seems that chained > CA's are not supported in a way we would like to have it done. I would > prefer to have number of trusted certs in root.crt limited as much as > possible, but as I said it does not work. > > About Java, I would need to analyze the libpq code and implement KeyManager > in a similar way - this is surely possible but not necessarily preferred > solution ;-) > > Kind regards, > Joanna I bearly looked at Javav SSL implementation, and it should support certificate chain, even if intermediate cert isn't presented by server (not in root.crt), until You have valid chain in key/trust store. I found, and You may try to turn it on, "javax.net.debug=all" to see debug info of cert matching. Only one thing comes to me, why it doesn't works, Your intermediate cert may have no issuer DN Regards, Radek -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
