| From: | Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Question on SSL certificate expiry |
| Date: | 2023-06-01 16:27:28 |
| Message-ID: | CAFpL5Vyf0Z25seOvH3aCqAc-tzPYKUd9s4Xq9MYn1OpC9=m7Mg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi Tom,
We are using verify-full on both client and server.
*Server Side pg_hba.conf*
hostssl all <user> <ip> cert clientcert=1
*Server Side SSL*
postgres=# show ssl_cert_file ;
ssl_cert_file
--------------------------------------
/data/server.cert
postgres=# show ssl_ca_file ;
ssl_ca_file
---------------------------------------------
/data/ca-cert.pem
postgres=# show ssl_key_file ;
ssl_key_file
-------------------------------------
/data/server.key
*Client side SSL*
export PGSSLROOTCERT="ca.pem"
export PGSSLMODE="verify-full"
export PGSSLCERT="cert.pem"
export PGSSLKEY="cert.key"
Thanks,
Nikhil
On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> writes:
> > We were using MTLS to connect to the database. We noticed that even after
> > server certificates expired the client was able to connect to the
> database.
>
> > 1. Doesn't postgres check the expiry date of the certificate?
>
> Postgres does not. The openssl library can. The most likely
> guess, on the basis of the next-to-zero details you provided,
> is that the connection is succeeding via some method that doesn't
> require the client to check the server's certificate --- for
> instance, a completely unencrypted connection.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nikhil Shetty | 2023-06-01 17:00:52 | Re: Question on SSL certificate expiry |
| Previous Message | Tom Lane | 2023-06-01 13:07:18 | Re: Question on SSL certificate expiry |