Received: from localhost (maia-3.hub.org [200.46.204.184]) by postgresql.org (Postfix) with ESMTP id 520E69FB4F6 for ; Fri, 23 Mar 2007 23:04:42 -0300 (ADT) Received: from postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.184]) (amavisd-new, port 10024) with ESMTP id 71481-04 for ; Fri, 23 Mar 2007 23:04:30 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.4 Received: from locust.cns.vt.edu (locust.cns.vt.edu [198.82.169.14]) by postgresql.org (Postfix) with ESMTP id AA3F49FB43B for ; Fri, 23 Mar 2007 23:04:35 -0300 (ADT) Received: by locust.cns.vt.edu (Postfix, from userid 986) id 5A600118A1F; Fri, 23 Mar 2007 22:04:34 -0400 (EDT) Date: Fri, 23 Mar 2007 22:04:34 -0400 From: Ray Stell To: Tom Lane Cc: pgsql-admin@postgresql.org Subject: Re: no verification of client certificate? Message-ID: <20070324020434.GA18533@cns.vt.edu> References: <20070323181626.GA16092@cns.vt.edu> <25532.1174687277@sss.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25532.1174687277@sss.pgh.pa.us> User-Agent: Mutt/1.5.11 X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200703/181 X-Sequence-Number: 25005 On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote: > Ray Stell writes: > > I was hoping to not have to support client certs. I want > > encryption and to verify the server, but no to verify the client. > > Does this work and I've got the config wrong? > > Maybe I misunderstand what you want --- doesn't leaving out the > server's root.crt file do that? > It doesn't look like it to me. I hope you can steer me back. When I first looked at the ssl doc, I didn't see any description of installing the root ca on the client. This seemed odd. On my web client, when I need to verify the server crt, I install the appropriate ca in the client. Anyway, two permutations of the various config items provided ssl connections. One was with a client crt and the other was, as you said, no root crt on the server datadir. The verions without the client cert was closer to what I was after. I describe the config here: no root.crt in the data dir no .postgresql/ <--- this is what made me think there was no server verification server.crt/key in the data dir pg_hba.conf set to hostssl PGSSLMODE=required or prefer connect: -------- $ psql -h serve.vt.edu -p 5437 testdb jira Password for user jira: Welcome to psql 8.2.3, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) strace the above connection, it tries/fails to open the client ca : -------------------------------------------------------------------- stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory) stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory) So, it looks to me like I get encryption this way, but no server verification. Hope I'm wrong. Thanks for you help.