To: Ray Stell <stellr@cns.vt.edu>
cc: pgsql-admin@postgresql.org
Subject: Re: no verification of client certificate? 
In-reply-to: <20070324020434.GA18533@cns.vt.edu> 
References: <20070323181626.GA16092@cns.vt.edu>
	<25532.1174687277@sss.pgh.pa.us>
	<20070324020434.GA18533@cns.vt.edu>
Comments: In-reply-to Ray Stell <stellr@cns.vt.edu>
	message dated "Fri, 23 Mar 2007 22:04:34 -0400"
Date: Sun, 25 Mar 2007 22:01:20 -0400
Message-ID: <1950.1174874480@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>

Ray Stell <stellr@cns.vt.edu> writes:
> On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
>> Ray Stell <stellr@cns.vt.edu> writes:
>>> I was hoping to not have to support client certs.  I want
>>> encryption and to verify the server, but no to verify the client.
>>> Does this work and I've got the config wrong?
>> 
>> Maybe I misunderstand what you want --- doesn't leaving out the
>> server's root.crt file do that?

> It doesn't look like it to me.  I hope you can steer me back.

I looked more closely and you are right: if the server does not have
a root.crt file then it doesn't send its server cert to the client,
and so there's no way for the client to verify the cert.  Whereas if
it does have root.crt then it insists on verifying the client's cert.
This seems to be a restriction of OpenSSL: sending of the server cert is
implicitly enabled by enabling checking of client certs using root.crt.
Perhaps there's a way around that, but it'll take more knowledge of
OpenSSL than I have to fix it.

Offhand your desire doesn't seem completely unreasonable, so perhaps
there is a way to get OpenSSL to do it that we don't know about.
Bruce, would you add something to the TODO list?

* Support SSL configurations in which client checks server's cert but
  not vice versa.

			regards, tom lane