From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
---|---|
To: | Matthew Lenz <mlenz(at)nocturnal(dot)org> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: proper pg_hba config to require ssl from non-local/private ips |
Date: | 2022-10-19 16:51:45 |
Message-ID: | CAMkU=1w4terLtcWHm2gZXO92pB69UdFZdeyvSoLBAiS3A_9B2Q@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, Oct 19, 2022 at 12:29 PM Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
> On Wed, Oct 19, 2022 at 10:47 AM Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
>
>>
>> No, clientcert=verify-ca forces the server to check the client's
>> certificate. Forcing the client to check the server's certificate must be
>> done on the client end. (And of course if you are not connecting via that
>> line of the pg_hba, then that setting doesn't do anything.)
>>
>>
> I didn't say the client was meant to enforce it. I meant the server
> should be enforcing it (it's not).
>
Well, if it isn't enforcing ssl in the first place, it certainly can't be
enforcing clientcert. Worry about making sure your current version of
pg_hba is actually in use first, then the clientcert issue should take care
of itself. You still can't start debugging the one (in the unlikely event
it still needs debugging) until after you fix the other.
Cheers,
Jeff
From | Date | Subject | |
---|---|---|---|
Next Message | jagjit singh | 2022-10-19 18:50:29 | Re: proper pg_hba config to require ssl from non-local/private ips |
Previous Message | Scott Ribe | 2022-10-19 16:41:41 | Re: proper pg_hba config to require ssl from non-local/private ips |