*** postgresql-8.4-8.4.3/src/backend/libpq/be-secure.c	2010-02-25 21:26:26.000000000 +0800
--- postgresql-8.4-8.4.3-patched/src/backend/libpq/be-secure.c	2010-05-24 07:46:32.000000000 +0800
***************
*** 715,720 ****
--- 715,721 ----
  initialize_SSL(void)
  {
  	struct stat buf;
+ 	STACK_OF(X509_NAME) * root_cert_list = NULL;
  
  	if (!SSL_context)
  	{
***************
*** 804,810 ****
  						 ROOT_CERT_FILE)));
  		}
  	}
! 	else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
  	{
  		/*
  		 * File was there, but we could not load it. This means the file is
--- 808,815 ----
  						 ROOT_CERT_FILE)));
  		}
  	}
! 	else if ( (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1) ||
! 	          (root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL )
  	{
  		/*
  		 * File was there, but we could not load it. This means the file is
***************
*** 818,823 ****
--- 823,835 ----
  	}
  	else
  	{
+ 		/* 
+ 		 * Tell OpenSSL to send the list of root certs we trust to the client
+ 		 * with the CertificateRequest. This lets a client with a keystore
+ 		 * select the appropriate client certificate to send to us.
+ 		 */
+ 		SSL_CTX_set_client_CA_list(SSL_context, root_cert_list);
+ 
  		/*
  		 * Check the Certificate Revocation List (CRL) if file exists.
  		 * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,