*** pgsql/src/backend/libpq/be-secure.c	2010/02/26 02:00:42	1.99
--- pgsql/src/backend/libpq/be-secure.c	2010/05/26 15:52:37	1.100
***************
*** 11,17 ****
   *
   *
   * IDENTIFICATION
!  *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.98 2010/02/25 13:26:15 mha Exp $
   *
   *	  Since the server static private key ($DataDir/server.key)
   *	  will normally be stored unencrypted so that the database
--- 11,17 ----
   *
   *
   * IDENTIFICATION
!  *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.99 2010/02/26 02:00:42 momjian Exp $
   *
   *	  Since the server static private key ($DataDir/server.key)
   *	  will normally be stored unencrypted so that the database
*************** static void
*** 721,726 ****
--- 721,727 ----
  initialize_SSL(void)
  {
  	struct stat buf;
+ 	STACK_OF(X509_NAME) *root_cert_list = NULL;
  
  	if (!SSL_context)
  	{
*************** initialize_SSL(void)
*** 810,816 ****
  						 ROOT_CERT_FILE)));
  		}
  	}
! 	else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
  	{
  		/*
  		 * File was there, but we could not load it. This means the file is
--- 811,818 ----
  						 ROOT_CERT_FILE)));
  		}
  	}
! 	else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 ||
! 			 (root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL)
  	{
  		/*
  		 * File was there, but we could not load it. This means the file is
*************** initialize_SSL(void)
*** 866,871 ****
--- 868,880 ----
  
  			ssl_loaded_verify_locations = true;
  		}
+ 
+ 		/* 
+ 		 * Tell OpenSSL to send the list of root certs we trust to clients in
+ 		 * CertificateRequests.  This lets a client with a keystore select the
+ 		 * appropriate client certificate to send to us.
+ 		 */
+ 		SSL_CTX_set_client_CA_list(SSL_context, root_cert_list);
  	}
  }