| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: could not accept ssl connection tlsv1 alert unknown ca |
| Date: | 2025-02-03 16:44:08 |
| Message-ID: | 165acdff-2b3c-4425-9840-156e4806839e@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2/3/25 08:09, Adrian Klaver wrote:
> On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
>> Is it possible to configure "clientcert=disable" in pg_hba.conf or
>> disable the client verification otherwise?
>> The docs only mention "verify-ca" and "verify-full".
>> "In addition to the method-specific options listed below, there is a
>> method-independent authentication option clientcert, which can be
>> specified in any hostssl record. This option can be set to verify-ca
>> or verify-full."
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>>
>
> From what I understand your client has to either not have the client
> certificates or create them correctly.
>
To follow up from here:
/*
* Always ask for SSL client cert, but don't fail if it's not
* presented. We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
SSL_CTX_set_verify(context,
(SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE),
verify_cb);
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-02-03 17:36:48 | Re: Using Expanded Objects other than Arrays from plpgsql |
| Previous Message | Adrian Klaver | 2025-02-03 16:09:32 | Re: could not accept ssl connection tlsv1 alert unknown ca |