| From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
|---|---|
| To: | Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> |
| Cc: | Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Question on SSL certificate expiry |
| Date: | 2023-06-03 00:06:53 |
| Message-ID: | CAMkU=1xzTP++UXodm1NitgeMJh7rQ+6KyAzKxAt8cVcw+SCv5Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Thu, Jun 1, 2023 at 7:40 AM Nikhil Shetty <nikhil(dot)dba04(at)gmail(dot)com> wrote:
> Hi Team,
>
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.
>
> 1. Doesn't postgres check the expiry date of the certificate?
>
I think PostgreSQL doesn't check it, but the ssl library does. And it works
for me. After setting the system clock ahead a year (minus 12 hours,
because I messed up the am/pm thing), I start getting this on the server
side log file:
11863 [unknown] 08P01 2024-06-02 07:38:11.538 EDT LOG: could not accept
SSL connection: sslv3 alert certificate expired
It is weird that that message ends up in the server's log file, as it is
the client which is doing the rejecting, not the server. So you would
think the client would get the details and the server would get the vague
conclusion. But it is certainly not the only ssl error reporting oddity
I've seen.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nikhil Shetty | 2023-06-04 12:38:39 | Re: Question on SSL certificate expiry |
| Previous Message | M Sarwar | 2023-06-02 19:05:00 | Re: Free Opes-source role management software |