Re: Question on SSL certificate expiry

If we provide the CRL then the CRL will be referred and the connection
might not go through but the CRL takes atleast 12 hours to reflect the
expired certificate.

We wanted to understand if the connection can be rejected based on the
'Expiry date' in the server certificate even without referring the CRL?

Thanks,
Nikhil

On Thu, Jun 1, 2023 at 9:57 PM Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> wrote:

> Hi Tom,
>
> We are using verify-full on both client and server.
>
> *Server Side pg_hba.conf*
>
> hostssl all <user> <ip> cert clientcert=1
>
>
> *Server Side SSL*
>
> postgres=# show ssl_cert_file ;
>
> ssl_cert_file
>
> --------------------------------------
>
> /data/server.cert
>
>
> postgres=# show ssl_ca_file ;
>
> ssl_ca_file
>
> ---------------------------------------------
>
> /data/ca-cert.pem
>
>
> postgres=# show ssl_key_file ;
>
> ssl_key_file
>
> -------------------------------------
>
> /data/server.key
>
>
> *Client side SSL*
>
> export PGSSLROOTCERT="ca.pem"
>
> export PGSSLMODE="verify-full"
>
> export PGSSLCERT="cert.pem"
>
> export PGSSLKEY="cert.key"
>
>
>
> Thanks,
>
> Nikhil
>
> On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> writes:
>> > We were using MTLS to connect to the database. We noticed that even
>> after
>> > server certificates expired the client was able to connect to the
>> database.
>>
>> > 1. Doesn't postgres check the expiry date of the certificate?
>>
>> Postgres does not. The openssl library can. The most likely
>> guess, on the basis of the next-to-zero details you provided,
>> is that the connection is succeeding via some method that doesn't
>> require the client to check the server's certificate --- for
>> instance, a completely unencrypted connection.
>>
>> regards, tom lane
>>
>