| From: | Wim Lewis <wiml(at)omnigroup(dot)com> |
|---|---|
| To: | carriingfate92(at)ya(dot)ru |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: SSL auth question |
| Date: | 2014-04-03 00:32:51 |
| Message-ID: | 36134A5C-1883-4982-9BBE-C8E0DB6E6E81@omnigroup.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 1 Apr 2014, at 11:38 PM, carriingfate92(at)ya(dot)ru wrote:
> I set certificate auth on postgresql 9.3. I generate SSL certificate with my custom extension. So, OpenSSL read it, PostgreSQL accept it if this extension is not critical, but if I set this extension critical, PostgreSQL deny connection.
I think that is the correct behavior. The "critical" bit tells PostgreSQL (or other software) what to do if it does not understand the extension: if there's an unknown extension with the critical bit set, then the certificate can't be validated. If the critical bit is not set, then the unknown extension is ignored, and the certificate is processed as if the extension weren't there.
See this section of RFC 5280:
http://tools.ietf.org/html/rfc5280#section-4.2
The idea is that you can set the critical bit for extensions that are supposed *restrict* the usability of the certificate, so that the certificate won't be used in undesired ways by software that doesn't understand the extension.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-04-03 00:43:08 | Re: It seems no Windows buildfarm members are running find_typedefs |
| Previous Message | Robert Haas | 2014-04-03 00:13:50 | Re: Fwd: Proposal: variant of regclass |