public inbox for [email protected]
help / color / mirror / Atom feedFrom: Ray Stell <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: no verification of client certificate?
Date: Fri, 23 Mar 2007 22:04:34 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
> Ray Stell <[email protected]> writes:
> > I was hoping to not have to support client certs. I want
> > encryption and to verify the server, but no to verify the client.
> > Does this work and I've got the config wrong?
>
> Maybe I misunderstand what you want --- doesn't leaving out the
> server's root.crt file do that?
>
It doesn't look like it to me. I hope you can steer me back.
When I first looked at the ssl doc, I didn't see any description of
installing the root ca on the client. This seemed odd. On my web client,
when I need to verify the server crt, I install the appropriate ca in
the client.
Anyway, two permutations of the various config items provided ssl
connections. One was with a client crt and the other was, as you said,
no root crt on the server datadir. The verions without the client cert
was closer to what I was after.
I describe the config here:
no root.crt in the data dir
no .postgresql/ <--- this is what made me think there was no server verification
server.crt/key in the data dir
pg_hba.conf set to hostssl
PGSSLMODE=required or prefer
connect:
--------
$ psql -h serve.vt.edu -p 5437 testdb jira
Password for user jira:
Welcome to psql 8.2.3, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
strace the above connection, it tries/fails to open the client ca :
--------------------------------------------------------------------
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)
So, it looks to me like I get encryption this way, but no server verification. Hope I'm wrong.
Thanks for you help.
view thread (14+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: no verification of client certificate?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox