| From: | Rejo Oommen <rejo(dot)oommen(at)gmail(dot)com> |
|---|---|
| To: | Thomas Guyot <tguyot(at)gmail(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Is Client connections via ca.crt only possible? |
| Date: | 2022-08-04 01:37:03 |
| Message-ID: | CAFiZ60hNc6=nLdWUH9W9HgeP4ZHiUEf3csCoV-w5XFdMirM77A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thank you for the reply Thomas. I agree with you on the mutual TLS that you
mentioned.
Here is what I was looking at.
The configurations at the server end will be with auth-method as md5 and
auth-option as clientcert=verify-ca.
In this way, the user's password along with the valid ca should allow
connections to pass.
Regards,
Rejo
On Thu, 4 Aug 2022, 03:01 Thomas Guyot, <tguyot(at)gmail(dot)com> wrote:
> On 2022-08-01 04:12, Rejo Oommen wrote:
> > Requirement is to use only ca.crt and connect to postgres
> >
> > Server.crt, Server.key and ca.crt are configured at the postgres
> > server for tls connection.
> >
> > Connection successful while using
> > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
> > sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt
> > port=5432’
> >
> > For clients to connect, can they use only ca.crt and connect to the
> > DB. Tried and got the below error
> >
> > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
> > sslrootcert=/tmp/ca.crt port=5432’
> > psql: error: connection to server at “172.29.21.222”, port 50001
> > failed: FATAL: connection requires a valid client certificate
> >
>
> Hi Rejo,
>
> I don't think you understand fully how mutual TLS auth works. For the
> client to authenticate using a certificate, it needs a valid certificate
> and key too, where the certificate is signed by a CA your server trusts
> (usually the same CA that signed your server cert) and with a proper
> subject (that bears the certificate owner's user name, the user you will
> use to grant privileges in the database). You shouldn't even need to
> pass a username, it will be in the certificate.
>
> I'm talking purely from a generic view, I'm not familiar with any of the
> specifics of PostgreSQL configuration but TLS authentication requires a
> secret and a CA certificate isn't secret. Your server certificate
> authenticates the server, but nothing authenticates the client.
>
> Regards,
>
> --
> Thomas
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Julien Rouhaud | 2022-08-04 02:13:18 | Re: Purpose of DEFERRABLE _and_ INITIALLY DEFERRED foreign key constraint checking? |
| Previous Message | Ron | 2022-08-04 01:13:33 | Re: Purpose of DEFERRABLE _and_ INITIALLY DEFERRED foreign key constraint checking? |