public inbox for [email protected]
help / color / mirror / Atom feedFrom: Michael Fuhr <[email protected]>
To: Tom Lane <[email protected]>
Cc: Ray Stell <[email protected]>
Cc: [email protected]
Subject: Re: no verification of client certificate?
Date: Sun, 25 Mar 2007 23:21:25 -0600
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> Well, if it works then why is the OP complaining?
>
> Perhaps there is some non-obvious configuration issue that accounts
> for the difference between your results and his?
I don't see in the OP's messages that he's tried the configuration
I used. He said he was using the following:
> > no root.crt in the data dir
> > no .postgresql/ <--- this is what made me think there was no server verification
> > server.crt/key in the data dir
> > pg_hba.conf set to hostssl
> > PGSSLMODE=required or prefer
My test configuration looks the same on the server but different
on the client:
Server, in $PGDATA
==================
server.key
server.crt (signed by some CA)
no root.crt
Client, in ~/.postgresql
========================
root.crt (for the CA that signed server.crt)
no postgresql.key or postgresql.crt
The OP did say that
> > When I first looked at the ssl doc, I didn't see any description of
> > installing the root ca on the client. This seemed odd. On my web client,
> > when I need to verify the server crt, I install the appropriate ca in
> > the client.
The "SSL Support" section of the libpq documentation mentions
installing root.crt on the client:
http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html
"If the file ~/.postgresql/root.crt is present in the user's home
directory, libpq will use the certificate list stored therein to
verify the server's certificate. (On Microsoft Windows the file is
named %APPDATA%\postgresql\root.crt.) The SSL connection will fail
if the server does not present a certificate; therefore, to use
this feature the server must also have a root.crt file."
The requirement that the server have a root.crt appears to be
incorrect, at least in the tests I ran. Unless somebody can justify
that statement I'll submit a documentation patch to correct it.
--
Michael Fuhr
view thread (14+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: no verification of client certificate?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox