| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> |
| Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: postgres ssl client certificate authentification |
| Date: | 2021-10-15 15:49:28 |
| Message-ID: | 959129.1634312968@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> writes:
> I am playing around with postgres ssl encryption. I am confused about client certificate authentication:
> <quote>
> The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. The former option only enforces that the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matches the user name or an applicable mapping.
> </quote>
> https://www.postgresql.org/docs/12/ssl-tcp.html
Given that your server is 9.6.x, you're reading the wrong version
of the docs. Per
https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html
the only clientcert value that does anything is "1":
In addition to the method-specific options listed below, there is one
method-independent authentication option clientcert, which can be
specified in any hostssl record. When set to 1, this option requires
the client to present a valid (trusted) SSL certificate, in addition
to the other requirements of the authentication method.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-10-15 16:33:00 | Re: PostgreSQL 14: pg_dump / pg_restore error: could not write to the communication channel: Broken pipe |
| Previous Message | Zwettler Markus (OIZ) | 2021-10-15 15:32:25 | postgres ssl client certificate authentification |