Re: Question about cert authentication method.

A non-existent user cannot be authenticated.

Am 27. November 2022 06:49:49 MEZ schrieb Dhirendra Singh <dhirendraks(at)gmail(dot)com>:
>Yes. My question is about the log message.
>Log message in the postmaster says...FATAL: certificate authentication
>failed for user "test (S114546)"
>But certificate authentication should pass because supplied user in the
>connection request and CN in certificate is same.
>It should fail afterwards with message that user "test (S114546)" does not
>exist.
>
>
>Thanks,
>Dhirendra.
>
>On Fri, Nov 25, 2022 at 9:18 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> writes:
>> > On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
>> >> I am expecting the connection to fail because user "test (S114546) does
>> not exist. but i am confused about the error message in the server log.
>> >> It says certificate authentication failed for user "test (S114546)".
>> but CN in the certificate matches with the user name in psql connection
>> request.
>> >> So certificate authentication should pass. It should fail afterwards.
>>
>> > Well, "test" is different from "test (S114546)", so what do you expect?
>>
>> I think the OP is complaining about the message contents, not the
>> fact of the failure. However, it's intentional that the message sent
>> to the client is vague about the exact cause of an authentication
>> failure. Otherwise we might be giving aid to a blackhat trying to
>> break into the server. The postmaster log is supposed to be more
>> specific, and it looks to me like what's in the log is accurate.
>>
>> regards, tom lane
>>