| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: could not accept ssl connection tlsv1 alert unknown ca |
| Date: | 2025-01-31 16:37:24 |
| Message-ID: | c405c2ba-c0db-453d-909e-d3e893b9d94b@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
>> Von: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
>> Those cause some additional checks to be made, but it's not like you can expect a
>> completely broken certificate to work without them.
>>
>> regards, tom lane
>
>
>
> I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not.
What are the relevant lines in pg_hba.conf?
>
> A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates.
>
> At least that's what I read in the documentation. No?
>
> Regards, Markus
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-01-31 16:50:34 | Re: Postgres restore sometimes restores to a point 2 days in the past |
| Previous Message | Laurenz Albe | 2025-01-31 13:30:01 | Re: Postgres restore sometimes restores to a point 2 days in the past |