Re: ssl client cert authentication

From: Ray Stell <stellr(at)cns(dot)vt(dot)edu>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: ssl client cert authentication
Date: 2010-11-01 19:15:13
Message-ID: 20101101191513.GA2959@cns.vt.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-docs

On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> Ray Stell <stellr(at)cns(dot)vt(dot)edu> writes:
> > Someone asked about ssl client cert auth recently. I got
> > this to work, but something tripped me up.
>
> > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
>
> > states (very clearly, btw) that, "To require the client to supply a
> > trusted certificate, place certificates of the certificate authorities
> > (CAs) you trust in the file root.crt in the data directory." I had
> > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
>
> > This begs the question, why two copies of the same file?
>
> The one in ~/.postgresql is for client usage. The one in $PGDATA is for
> the server's use. There's no reason to assume they'd be the same.
>
> regards, tom lane

I think I see where I went off:
31.17. SSL Support
Changing this to:
31.17. Client SSL Support
would be helpful. Also,
31.17.4. SSL File Usage
might be:
31.17.4. SSL Client File Usage
They did this in the server section, so I'm not completely nuts:
17.8.2. SSL Server File Usage

In hindsight it is very clear. Chapter 17 is on the server and 31 is on the
client. Adding those section title words would have helped me stay on
course.

Another way of providing clue would be to add $PGDATA somewhere in Table
17-3. SSL Server File Usage. They did that sort of thing on the client side
in Table 31-4. Libpq/Client SSL File Usage.

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Gerhard Hintermayer 2010-11-02 12:59:49 reinstall postgreSQL same version while server up and running possible under linux ?
Previous Message Tom Lane 2010-11-01 16:46:33 Re: ssl client cert authentication

Browse pgsql-docs by date

  From Date Subject
Next Message Kevin Grittner 2010-11-02 17:58:56 Re: CREATE CUSTOM TEXT SEARCH PARSER
Previous Message Tom Lane 2010-11-01 16:46:33 Re: ssl client cert authentication