| From: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> |
|---|---|
| To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | postgres ssl client certificate authentification |
| Date: | 2021-10-15 15:32:25 |
| Message-ID: | 54285c6f118c4aa1b5b7a5bfc99bd840@zuerich.ch |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi all,
I am playing around with postgres ssl encryption. I am confused about client certificate authentication:
<quote>
The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. The former option only enforces that the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matches the user name or an applicable mapping.
</quote>
https://www.postgresql.org/docs/12/ssl-tcp.html
I tried both configurations within my pg_hba.conf, one after another:
hostssl all all 0.0.0.0/0 md5 clientcert=verify-ca
hostssl all all 0.0.0.0/0 md5 clientcert=verify-full
Unfortunately, my postgres server doesn't care about any client certificate.
I can do a SSL connection even without any certificate or wrong certificate on the client side (located in the users home directory).
[tstzwma(at)tstm27373 ~]$ psql 'host=tstm49004 port=5900 dbname=pcl_l222 user=test'
Password:
psql (10.17, server 9.6.21)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
pcl_l222=>
Any idea?
Thanks, Markus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-10-15 15:49:28 | Re: postgres ssl client certificate authentification |
| Previous Message | Tom Lane | 2021-10-15 14:01:20 | Re: "two time periods with only an endpoint in common do not overlap" ??? |