Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist

From: Jacob Champion <jchampion(at)timescale(dot)com>
To: Jim Jones <jim(dot)jones(at)uni-muenster(dot)de>
Cc: Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Israel Barth Rubio <barthisrael(at)gmail(dot)com>, Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
Date: 2023-01-30 21:02:04
Message-ID: CAAWbhmh=3-VgG7FrS9sy1seaChT=MP62DMbBGKF+73DX_Zzd8g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, Jan 29, 2023 at 5:02 AM Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> wrote:
> On 27.01.23 21:13, Cary Huang wrote:
> > But, if the server does request clientcert but client uses
> "sslcertmode=disable" to connect and not give a certificate, it would
> also result in authentication failure. In this case, we actually would
> want to ignore "sslcertmode=disable" and send default certificates if
> found.
>
> I'm just wondering if this is really necessary. If the server asks for a
> certificate and the user explicitly says "I don't want to send it",
> shouldn't it be ok for the server return an authentication failure? I
> mean, wouldn't it defeat the purpose of "sslcertmode=disable"?

+1. In my opinion, if I tell libpq not to share my certificate with
the server, and it then fails to authenticate, that's intended and
useful behavior. (I don't really want libpq to try to find more ways
to authenticate me; that causes other security issues [1, 2].)

--Jacob

[1] https://www.postgresql.org/message-id/0adf992619e7bf138eb4119622d37e3efb6515d5.camel%40j-davis.com
[2] https://www.postgresql.org/message-id/46562.1637695110%40sss.pgh.pa.us

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2023-01-30 21:05:52 Re: Allow an extention to be updated without a script
Previous Message Tom Lane 2023-01-30 21:01:51 Re: MacOS: xsltproc fails with "warning: failed to load external entity"