Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tezYT-00Gost-TV
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Feb 2025 16:44:14 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tezYS-00F7aK-Oi
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Feb 2025 16:44:12 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tezYS-00F7aC-Da
	for pgsql-general@lists.postgresql.org; Mon, 03 Feb 2025 16:44:12 +0000
Received: from fhigh-a3-smtp.messagingengine.com ([103.168.172.154])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tezYQ-002yU4-0H
	for pgsql-general@lists.postgresql.org;
	Mon, 03 Feb 2025 16:44:11 +0000
Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44])
	by mailfhigh.phl.internal (Postfix) with ESMTP id C4F0A1140225;
	Mon,  3 Feb 2025 11:44:09 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-04.internal (MEProxy); Mon, 03 Feb 2025 11:44:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1738601049;
	 x=1738687449; bh=IKY5dR//VBwg5XWlsFM4l/blfUaNFqQieLP7Em39d+M=; b=
	hb8pgHXejlyinMY4k1lqt/rDi8qZNm4IUAEsHaNJStNEElS1xGlN+sT2sFT5w92o
	lFAa95jN1+E8ZdeH0VnFIflz03bZAUKXzbON6c0ngRD99vlwy/a7CQMk0nW+TWs4
	QKHt0eLhFcd1lIRRaI8m+jrgM1QlTJ3oODRKqEnM0BQ/2fcL/5pByPxI12UGgmTb
	GDa8S6lHoyy3s6u0GsH1GsUnqa66VTx0N1fInv0eSnnsR7I+Ab5l+F9aAfHd5zO2
	Toabk3NDHdIAdvXv0u5U5ZAlA+QU7jIhqYSekZaJJuews0jEt1x2VkCvginlhAZS
	r9AF6uOsCXY3xdGXINRzGw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm3; t=1738601049; x=1738687449; bh=I
	KY5dR//VBwg5XWlsFM4l/blfUaNFqQieLP7Em39d+M=; b=GVaeHq+3QjtbmNRTM
	CXTHiuTIwgfyReqvjkVg6rPcBEIQxy6ikGXN4DsMF873SnpCVV8MT3qeQTVGyek2
	xEIBM+lrcIwsNkWHoYNtOWZjbCsFsFKIprX80k07KV+Y1HBYNXC/O1xU4LhkJhug
	L7m+AeAAxddTx/uBjiZSDfviOWh97eGBbzr5oBNsW4uWVPFak34S2NYsG57eDx32
	r1NTEUuXBtvkQKvpXvgJSqHO5uyxyEKN3oRThiQZpWpQCJnsSx2JLYAUAH46pLmK
	vjXLSN4NnSL0AWHaySZBA7ItaM3H/wXspuNYmkvsAfKhHHcI1MzpDdOblEMO7qVz
	4JBzg==
X-ME-Sender: <xms:WfKgZyZDXTifFpbQPsN5jKAdoyhgPgI5ajCa8QUdNJ1EgkteA9ufmw>
    <xme:WfKgZ1bXB-1pgmuJ25Vdpn7LRAbtJcTgNw9bDC3yLpL-QaT2ena3FDngEso03hHlQ
    PsuI1TBgnmg4C0>
X-ME-Received: <xmr:WfKgZ89Ldgamkc-P-uYMwKGpIaAyNZ5Fenabt_zO0ws4Eud9TVS2x2rbovgRVYHdvVnw4eCcpa2-QMlufiSX-rokvTvIkyE9>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeduudcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefkffggfgfuhffvfhgjtgfgsehtjeertddtvdej
    necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh
    esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepudffkeelueehffdtieet
    kedttdevvedvffeiffduhefggeettdetheffueetgeefnecuffhomhgrihhnpehpohhsth
    hgrhgvshhqlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr
    ihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsg
    gprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmrghrkhhu
    shdriiifvghtthhlvghrseiiuhgvrhhitghhrdgthhdprhgtphhtthhopehtghhlsehssh
    hsrdhpghhhrdhprgdruhhspdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlheslhhi
    shhtshdrphhoshhtghhrvghsqhhlrdhorhhg
X-ME-Proxy: <xmx:WfKgZ0qtMbLrw0EEHd2ungCGq6z0bPdiI6pQfI662gqTiqJEHPfCZQ>
    <xmx:WfKgZ9oIU6nWHHNagXkaPM_hg6c4HmwPNoIw86LbkTvqyGLs0gqP6w>
    <xmx:WfKgZyQ9LWiqRuo1qZP7qJMoGcg3lcBW5suO1IfpFf5s772fY_9m-g>
    <xmx:WfKgZ9rx_gducIuY8uPnaDJ-uzG2Ad0HAyVFLVujZ0t_kl2ZRkwxuw>
    <xmx:WfKgZ0Wjqp7Kg8-7XQTWA3QCePNBEW6NmOe8IYa4WCEZ5MuEj64HDm_X>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 3 Feb 2025 11:44:08 -0500 (EST)
Message-ID: <165acdff-2b3c-4425-9840-156e4806839e@aklaver.com>
Date: Mon, 3 Feb 2025 08:44:08 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
From: Adrian Klaver <adrian.klaver@aklaver.com>
To: "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>,
 Tom Lane <tgl@sss.pgh.pa.us>,
 "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <3294022.1738259448@sss.pgh.pa.us>
 <GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <c405c2ba-c0db-453d-909e-d3e893b9d94b@aklaver.com>
 <GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <d3d3353a-f25a-4571-88a7-171aa228a8b2@aklaver.com>
 <GV0P278MB00998D54B2F868061D05BC178BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <8893f1fe-ef95-47b7-83ce-858ec8366110@aklaver.com>
Content-Language: en-US
In-Reply-To: <8893f1fe-ef95-47b7-83ce-858ec8366110@aklaver.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/165acdff-2b3c-4425-9840-156e4806839e%40aklaver.com>
Precedence: bulk

On 2/3/25 08:09, Adrian Klaver wrote:
> On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:

>> Is it possible to configure "clientcert=disable" in pg_hba.conf or 
>> disable the client verification otherwise?
>> The docs only mention "verify-ca" and "verify-full".
>> "In addition to the method-specific options listed below, there is a 
>> method-independent authentication option clientcert, which can be 
>> specified in any hostssl record. This option can be set to verify-ca 
>> or verify-full."
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>>
> 
>  From what I understand your client has to either not have the client 
> certificates or create them correctly.
> 

To follow up from here:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/be-secure-openssl.c;h=abf67bb1b2728e6d2cc9851ca71006d2fd0cde54;hb=HEAD

/*
* Always ask for SSL client cert, but don't fail if it's not
* presented.  We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
          SSL_CTX_set_verify(context,
                             (SSL_VERIFY_PEER |
                              SSL_VERIFY_CLIENT_ONCE),
                             verify_cb);

-- 
Adrian Klaver
adrian.klaver@aklaver.com