Re: could not accept ssl connection tlsv1 alert unknown ca

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Zwettler Markus (OIZ) <[email protected]>
To: Tom Lane <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
Date: Mon, 3 Feb 2025 08:44:08 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB00998D54B2F868061D05BC178BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>

On 2/3/25 08:09, Adrian Klaver wrote:
> On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:

>> Is it possible to configure "clientcert=disable" in pg_hba.conf or 
>> disable the client verification otherwise?
>> The docs only mention "verify-ca" and "verify-full".
>> "In addition to the method-specific options listed below, there is a 
>> method-independent authentication option clientcert, which can be 
>> specified in any hostssl record. This option can be set to verify-ca 
>> or verify-full."
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>>
> 
>  From what I understand your client has to either not have the client 
> certificates or create them correctly.
> 

To follow up from here:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/be-secure-openssl.c;h...

/*
* Always ask for SSL client cert, but don't fail if it's not
* presented.  We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
          SSL_CTX_set_verify(context,
                             (SSL_VERIFY_PEER |
                              SSL_VERIFY_CLIENT_ONCE),
                             verify_cb);

-- 
Adrian Klaver
[email protected]

view thread (3+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox