NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitc3bf3bf

committed

Tell openssl to include the names of the root certs the server trusts in

requests for client certs. This lets a client with a keystore select theappropriate client certificate to send. In particular, this is necessaryto get Java clients to work in all but the most trivial configurations.Per discussion of bug #5468.Craig Ringer

1 parent615704a commitc3bf3bfCopy full SHA for c3bf3bf

File tree

1 file changed

+11

-2

lines changed

src/backend/libpq
- be-secure.c

1 file changed

+11

-2

lines changed

`‎src/backend/libpq/be-secure.c`

Lines changed: 11 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.99 2010/02/2602:00:42 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.100 2010/05/2615:52:37 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -721,6 +721,7 @@ static void`
`721`	`721`	`initialize_SSL(void)`
`722`	`722`	`{`
`723`	`723`	`structstatbuf;`
	`724`	`+STACK_OF(X509_NAME)*root_cert_list=NULL;`
`724`	`725`
`725`	`726`	`if (!SSL_context)`
`726`	`727`	`{`
`@@ -810,7 +811,8 @@ initialize_SSL(void)`
`810`	`811`	`ROOT_CERT_FILE)));`
`811`	`812`	`}`
`812`	`813`	`}`
`813`		`-elseif (SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL)!=1)`
	`814`	`+elseif (SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL)!=1\|\|`
	`815`	`+ (root_cert_list=SSL_load_client_CA_file(ROOT_CERT_FILE))==NULL)`
`814`	`816`	`{`
`815`	`817`	`/*`
`816`	`818`	`* File was there, but we could not load it. This means the file is`
`@@ -866,6 +868,13 @@ initialize_SSL(void)`
`866`	`868`
`867`	`869`	`ssl_loaded_verify_locations= true;`
`868`	`870`	`}`
	`871`	`+`
	`872`	`+/*`
	`873`	`+ * Tell OpenSSL to send the list of root certs we trust to clients in`
	`874`	`+ * CertificateRequests. This lets a client with a keystore select the`
	`875`	`+ * appropriate client certificate to send to us.`
	`876`	`+ */`
	`877`	`+SSL_CTX_set_client_CA_list(SSL_context,root_cert_list);`
`869`	`878`	`}`
`870`	`879`	`}`
`871`	`880`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc3bf3bf

File tree

1 file changed

1 file changed

`‎src/backend/libpq/be-secure.c`

0 commit comments