Received: from localhost (maia-4.hub.org [200.46.204.183]) by postgresql.org (Postfix) with ESMTP id A43899FB26A for ; Mon, 26 Mar 2007 10:04:02 -0300 (ADT) Received: from postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-new, port 10024) with ESMTP id 31678-06 for ; Mon, 26 Mar 2007 10:03:55 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.4 Received: from locust.cns.vt.edu (locust.cns.vt.edu [198.82.169.14]) by postgresql.org (Postfix) with ESMTP id 1882A9FB25E for ; Mon, 26 Mar 2007 10:03:54 -0300 (ADT) Received: by locust.cns.vt.edu (Postfix, from userid 986) id 2D83D118A32; Mon, 26 Mar 2007 09:03:53 -0400 (EDT) Date: Mon, 26 Mar 2007 09:03:53 -0400 From: Ray Stell To: Michael Fuhr Cc: Tom Lane , pgsql-admin@postgresql.org Subject: Re: no verification of client certificate? Message-ID: <20070326130353.GA16782@cns.vt.edu> References: <20070323181626.GA16092@cns.vt.edu> <25532.1174687277@sss.pgh.pa.us> <20070324020434.GA18533@cns.vt.edu> <1950.1174874480@sss.pgh.pa.us> <20070326025713.GA5653@winnie.fuhr.org> <3130.1174881861@sss.pgh.pa.us> <20070326052125.GA6352@winnie.fuhr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070326052125.GA6352@winnie.fuhr.org> User-Agent: Mutt/1.5.11 X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200703/190 X-Sequence-Number: 25014 Thanks, I'll see if I can test that this morning. A minor suggestion, perhaps said config or perhaps a reference to the Chapter 29. libpq - C Library could be added to the section on ssl: http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html If you don't mind, how do you use ssldump to trace a psql setup? That would be very helpful to know. On Sun, Mar 25, 2007 at 11:21:25PM -0600, Michael Fuhr wrote: > On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote: > > Well, if it works then why is the OP complaining? > > > > Perhaps there is some non-obvious configuration issue that accounts > > for the difference between your results and his? > > I don't see in the OP's messages that he's tried the configuration > I used. He said he was using the following: > > > > no root.crt in the data dir > > > no .postgresql/ <--- this is what made me think there was no server verification > > > server.crt/key in the data dir > > > pg_hba.conf set to hostssl > > > PGSSLMODE=required or prefer > > My test configuration looks the same on the server but different > on the client: > > Server, in $PGDATA > ================== > server.key > server.crt (signed by some CA) > no root.crt > > Client, in ~/.postgresql > ======================== > root.crt (for the CA that signed server.crt) > no postgresql.key or postgresql.crt > > The OP did say that > > > > When I first looked at the ssl doc, I didn't see any description of > > > installing the root ca on the client. This seemed odd. On my web client, > > > when I need to verify the server crt, I install the appropriate ca in > > > the client. > > The "SSL Support" section of the libpq documentation mentions > installing root.crt on the client: > > http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html > > "If the file ~/.postgresql/root.crt is present in the user's home > directory, libpq will use the certificate list stored therein to > verify the server's certificate. (On Microsoft Windows the file is > named %APPDATA%\postgresql\root.crt.) The SSL connection will fail > if the server does not present a certificate; therefore, to use > this feature the server must also have a root.crt file." > > The requirement that the server have a root.crt appears to be > incorrect, at least in the tests I ran. Unless somebody can justify > that statement I'll submit a documentation patch to correct it. > > -- > Michael Fuhr