Re: Question about cert authentication method.

Yes. My question is about the log message.
Log message in the postmaster says...FATAL: certificate authentication
failed for user "test (S114546)"
But certificate authentication should pass because supplied user in the
connection request and CN in certificate is same.
It should fail afterwards with message that user "test (S114546)" does not
exist.

Thanks,
Dhirendra.

On Fri, Nov 25, 2022 at 9:18 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> writes:
> > On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
> >> I am expecting the connection to fail because user "test (S114546) does
> not exist. but i am confused about the error message in the server log.
> >> It says certificate authentication failed for user "test (S114546)".
> but CN in the certificate matches with the user name in psql connection
> request.
> >> So certificate authentication should pass. It should fail afterwards.
>
> > Well, "test" is different from "test (S114546)", so what do you expect?
>
> I think the OP is complaining about the message contents, not the
> fact of the failure. However, it's intentional that the message sent
> to the client is vague about the exact cause of an authentication
> failure. Otherwise we might be giving aid to a blackhat trying to
> break into the server. The postmaster log is supposed to be more
> specific, and it looks to me like what's in the log is accurate.
>
> regards, tom lane
>