Re: no verification of client certificate?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Ray Stell <stellr(at)cns(dot)vt(dot)edu>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: no verification of client certificate?
Date: 2007-03-26 02:01:20
Message-ID: 1950.1174874480@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-docs

Ray Stell <stellr(at)cns(dot)vt(dot)edu> writes:
> On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
>> Ray Stell <stellr(at)cns(dot)vt(dot)edu> writes:
>>> I was hoping to not have to support client certs. I want
>>> encryption and to verify the server, but no to verify the client.
>>> Does this work and I've got the config wrong?
>>
>> Maybe I misunderstand what you want --- doesn't leaving out the
>> server's root.crt file do that?

> It doesn't look like it to me. I hope you can steer me back.

I looked more closely and you are right: if the server does not have
a root.crt file then it doesn't send its server cert to the client,
and so there's no way for the client to verify the cert. Whereas if
it does have root.crt then it insists on verifying the client's cert.
This seems to be a restriction of OpenSSL: sending of the server cert is
implicitly enabled by enabling checking of client certs using root.crt.
Perhaps there's a way around that, but it'll take more knowledge of
OpenSSL than I have to fix it.

Offhand your desire doesn't seem completely unreasonable, so perhaps
there is a way to get OpenSSL to do it that we don't know about.
Bruce, would you add something to the TODO list?

* Support SSL configurations in which client checks server's cert but
not vice versa.

regards, tom lane

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Michael Fuhr 2007-03-26 02:57:13 Re: no verification of client certificate?
Previous Message Tom Lane 2007-03-26 00:57:47 Re: trying to run PITR recovery

Browse pgsql-docs by date

  From Date Subject
Next Message Michael Fuhr 2007-03-26 02:57:13 Re: no verification of client certificate?
Previous Message Ray Stell 2007-03-24 02:04:34 Re: no verification of client certificate?