Received: from localhost (maia-2.hub.org [200.46.204.187]) by postgresql.org (Postfix) with ESMTP id C784A9FB214 for ; Mon, 26 Mar 2007 02:21:37 -0300 (ADT) Received: from postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.187]) (amavisd-new, port 10024) with ESMTP id 49005-01 for ; Mon, 26 Mar 2007 02:21:32 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.4 Received: from tigger.fuhr.org (tigger.fuhr.org [63.214.45.158]) by postgresql.org (Postfix) with ESMTP id 7443A9FA30C for ; Mon, 26 Mar 2007 02:21:33 -0300 (ADT) Received: from winnie.fuhr.org (winnie.fuhr.org [10.1.0.1]) by tigger.fuhr.org (8.13.8/8.13.8) with ESMTP id l2Q5LQIX050705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 25 Mar 2007 22:21:28 -0700 (MST) Received: from winnie.fuhr.org (localhost [127.0.0.1]) by winnie.fuhr.org (8.13.8/8.13.8) with ESMTP id l2Q5LPnT006501; Sun, 25 Mar 2007 23:21:25 -0600 (MDT) (envelope-from mfuhr@winnie.fuhr.org) Received: (from mfuhr@localhost) by winnie.fuhr.org (8.13.8/8.13.8/Submit) id l2Q5LPKP006500; Sun, 25 Mar 2007 23:21:25 -0600 (MDT) (envelope-from mfuhr) Date: Sun, 25 Mar 2007 23:21:25 -0600 From: Michael Fuhr To: Tom Lane Cc: Ray Stell , pgsql-admin@postgresql.org Subject: Re: no verification of client certificate? Message-ID: <20070326052125.GA6352@winnie.fuhr.org> References: <20070323181626.GA16092@cns.vt.edu> <25532.1174687277@sss.pgh.pa.us> <20070324020434.GA18533@cns.vt.edu> <1950.1174874480@sss.pgh.pa.us> <20070326025713.GA5653@winnie.fuhr.org> <3130.1174881861@sss.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3130.1174881861@sss.pgh.pa.us> X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200703/189 X-Sequence-Number: 25013 On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote: > Well, if it works then why is the OP complaining? > > Perhaps there is some non-obvious configuration issue that accounts > for the difference between your results and his? I don't see in the OP's messages that he's tried the configuration I used. He said he was using the following: > > no root.crt in the data dir > > no .postgresql/ <--- this is what made me think there was no server verification > > server.crt/key in the data dir > > pg_hba.conf set to hostssl > > PGSSLMODE=required or prefer My test configuration looks the same on the server but different on the client: Server, in $PGDATA ================== server.key server.crt (signed by some CA) no root.crt Client, in ~/.postgresql ======================== root.crt (for the CA that signed server.crt) no postgresql.key or postgresql.crt The OP did say that > > When I first looked at the ssl doc, I didn't see any description of > > installing the root ca on the client. This seemed odd. On my web client, > > when I need to verify the server crt, I install the appropriate ca in > > the client. The "SSL Support" section of the libpq documentation mentions installing root.crt on the client: http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html "If the file ~/.postgresql/root.crt is present in the user's home directory, libpq will use the certificate list stored therein to verify the server's certificate. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.) The SSL connection will fail if the server does not present a certificate; therefore, to use this feature the server must also have a root.crt file." The requirement that the server have a root.crt appears to be incorrect, at least in the tests I ran. Unless somebody can justify that statement I'll submit a documentation patch to correct it. -- Michael Fuhr