From: | "Sergio" <sergio(dot)cinos(at)gmail(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Client SSL validation using root.crt |
Date: | 2006-11-17 10:54:54 |
Message-ID: | 1163760893.916252.251170@m7g2000cwm.googlegroups.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Hello all,
I see a strange behaviour using root.crt. PostgreSQL always waits a
client certificate to check agains root.crt. But I set up a
'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client
certificate. Also fails if line is a 'host'.
Better with an example:
---pg_hba.conf---
hostssl all all 192.168.0.1/32 md5
hostnossl all all 192.168.0.2/32 md5
-----------------
If I connect to PostgresSQL from 192.168.0.1, it fails if I don't
provide a client certificate, it is ok. But if I connect from
192.168.0.2, it also fails becouse I don't send a certificate. But I
declared a non-ssl connection from 192.168.0.2, it should let me
connect to databases, isn'it?
Removing root.crt works as expected. Client in 192.168.0.1 connect
using a SSL connection, and client in 192.168.0.2 connect using a
single connection.
It this behaviour ok? I think not. I want to allow clients on my LAN
access PostgreSQL server without a SSL connection , and require
a client certificate and a SSL connection to clients from outside my
LAN.
I think it is not a strange configuration. So the configuration is:
---pg_hba.conf---
hostnossl all all <my-lan-range> md5
hostssl <user> <db> 0.0.0.0/0 md5
-----------------
This fails, because PostgreSQL expect that all clients provide a
client certificate.
Is there any config option to solve this? Is there any page or manual
about PostgreSQL with SSL (more in-deep that
http://www.postgresql.org/docs/8.0/interactive/ssl-tcp.html) ?
Oh, I'm using PostgreSQL 8.0.8 on a Gentoo box. Maybe I have to upgrade
to another version?
Thans you in advance.
From | Date | Subject | |
---|---|---|---|
Next Message | Marcin Mańk | 2006-11-17 11:03:04 | Re: statement_timeout |
Previous Message | Richard Huxton | 2006-11-17 10:44:12 | Re: Why the data changes it's value by itself! |
From | Date | Subject | |
---|---|---|---|
Next Message | Marcin Mańk | 2006-11-17 11:03:04 | Re: statement_timeout |
Previous Message | Simon Riggs | 2006-11-17 09:40:12 | Re: [HACKERS] Extended protocol logging |