| From: | Ray Stell <stellr(at)cns(dot)vt(dot)edu> |
|---|---|
| To: | Michael Fuhr <mike(at)fuhr(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: no verification of client certificate? |
| Date: | 2007-03-26 13:03:53 |
| Message-ID: | 20070326130353.GA16782@cns.vt.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-docs |
Thanks, I'll see if I can test that this morning.
A minor suggestion, perhaps said config or perhaps a reference to the
Chapter 29. libpq - C Library could be added to the section on ssl:
http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html
If you don't mind, how do you use ssldump to trace a psql setup?
That would be very helpful to know.
On Sun, Mar 25, 2007 at 11:21:25PM -0600, Michael Fuhr wrote:
> On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> > Well, if it works then why is the OP complaining?
> >
> > Perhaps there is some non-obvious configuration issue that accounts
> > for the difference between your results and his?
>
> I don't see in the OP's messages that he's tried the configuration
> I used. He said he was using the following:
>
> > > no root.crt in the data dir
> > > no .postgresql/ <--- this is what made me think there was no server verification
> > > server.crt/key in the data dir
> > > pg_hba.conf set to hostssl
> > > PGSSLMODE=required or prefer
>
> My test configuration looks the same on the server but different
> on the client:
>
> Server, in $PGDATA
> ==================
> server.key
> server.crt (signed by some CA)
> no root.crt
>
> Client, in ~/.postgresql
> ========================
> root.crt (for the CA that signed server.crt)
> no postgresql.key or postgresql.crt
>
> The OP did say that
>
> > > When I first looked at the ssl doc, I didn't see any description of
> > > installing the root ca on the client. This seemed odd. On my web client,
> > > when I need to verify the server crt, I install the appropriate ca in
> > > the client.
>
> The "SSL Support" section of the libpq documentation mentions
> installing root.crt on the client:
>
> http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html
>
> "If the file ~/.postgresql/root.crt is present in the user's home
> directory, libpq will use the certificate list stored therein to
> verify the server's certificate. (On Microsoft Windows the file is
> named %APPDATA%\postgresql\root.crt.) The SSL connection will fail
> if the server does not present a certificate; therefore, to use
> this feature the server must also have a root.crt file."
>
> The requirement that the server have a root.crt appears to be
> incorrect, at least in the tests I ran. Unless somebody can justify
> that statement I'll submit a documentation patch to correct it.
>
> --
> Michael Fuhr
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ray Stell | 2007-03-26 13:35:33 | Re: no verification of client certificate? |
| Previous Message | Sorin N. Ciolofan | 2007-03-26 12:32:08 | ERROR: out of shared memory |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ray Stell | 2007-03-26 13:35:33 | Re: no verification of client certificate? |
| Previous Message | Michael Fuhr | 2007-03-26 05:21:25 | Re: no verification of client certificate? |