Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
> Gesendet: Freitag, 31. Januar 2025 17:37
> An: Zwettler Markus (OIZ) <Markus(dot)Zwettler(at)zuerich(dot)ch>; Tom Lane
> <tgl(at)sss(dot)pgh(dot)pa(dot)us>; pgsql-general(at)lists(dot)postgresql(dot)org
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
>
> On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
> >> Von: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
>
> >> Those cause some additional checks to be made, but it's not like you
> >> can expect a completely broken certificate to work without them.
> >>
> >> regards, tom lane
> >
> >
> >
> > I don't understand why Postgres does a certificate validation with
> “sslmode=prefer”. Postgres should simply ignore every presented client certificate
> here. Regardless of whether it is trusted or not.
>
> What are the relevant lines in pg_hba.conf?
>
> >
> > A certificate validation should only take place in the modes “sslmode=verify-ca”
> and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-
> trusted certificates.
> >
> > At least that's what I read in the documentation. No?
> >
> > Regards, Markus
> >
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>

bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
host all "ccp_monitoring" "::1/128" scram-sha-256
host all "ccp_monitoring" all reject
hostssl all all all md5