Re: Question on SSL certificate expiry

Hi Jeff

I am not getting this error when I tried using psql

I think PostgreSQL doesn't check it, but the ssl library does

Do you mean the psql client(libpq) will not be able to check?

It is weird that that message ends up in the server's log file, as it is
> the client which is doing the rejecting, not the server. So you would
> think the client would get the details and the server would get the vague
> conclusion. But it is certainly not the only ssl error reporting oddity
> I've seen.

Are you saying the client will be able to login but the error will be
reported only in the server log?

Thanks,
Nikhil

On Sat, Jun 3, 2023 at 5:37 AM Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:

> On Thu, Jun 1, 2023 at 7:40 AM Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com>
> wrote:
>
>> Hi Team,
>>
>> We were using MTLS to connect to the database. We noticed that even after
>> server certificates expired the client was able to connect to the database.
>>
>> 1. Doesn't postgres check the expiry date of the certificate?
>>
>
> I think PostgreSQL doesn't check it, but the ssl library does. And it
> works for me. After setting the system clock ahead a year (minus 12 hours,
> because I messed up the am/pm thing), I start getting this on the server
> side log file:
>
> 11863 [unknown] 08P01 2024-06-02 07:38:11.538 EDT LOG: could not accept
> SSL connection: sslv3 alert certificate expired
>
> It is weird that that message ends up in the server's log file, as it is
> the client which is doing the rejecting, not the server. So you would
> think the client would get the details and the server would get the vague
> conclusion. But it is certainly not the only ssl error reporting oddity
> I've seen.
>
>>