Date: Mon, 26 Mar 2007 09:35:33 -0400
From: Ray Stell <stellr@cns.vt.edu>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Michael Fuhr <mike@fuhr.org>, pgsql-admin@postgresql.org
Subject: Re: no verification of client certificate?
Message-ID: <20070326133533.GA17380@cns.vt.edu>
References: <20070323181626.GA16092@cns.vt.edu>
	<25532.1174687277@sss.pgh.pa.us>
	<20070324020434.GA18533@cns.vt.edu> <1950.1174874480@sss.pgh.pa.us>
	<20070326025713.GA5653@winnie.fuhr.org>
	<3130.1174881861@sss.pgh.pa.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3130.1174881861@sss.pgh.pa.us>
User-Agent: Mutt/1.5.11

On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> Michael Fuhr <mike@fuhr.org> writes:
> > On Sun, Mar 25, 2007 at 10:01:20PM -0400, Tom Lane wrote:
> >> I looked more closely and you are right: if the server does not have
> >> a root.crt file then it doesn't send its server cert to the client,
> >> and so there's no way for the client to verify the cert.
> 
> > Eh?  ssldump shows otherwise here with 8.2.3.
> 
> Well, if it works then why is the OP complaining?

Two reasons:

1. I was following:

http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html

I did not know this page existed:

http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html

Connecting the two pages would have helped me. 


2. I probably made a mistake trying the various combinations.
Knowing how Michael traced the connection with ssldump would be
VERY helpful.  Trying to put it together from strace is much harder
and I probably made multiple mistakes.  I was on a fishing expedition
at best as I didn't know how it went together.