Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tdYgo-0085yf-HR
	for pgsql-general@arkaria.postgresql.org; Thu, 30 Jan 2025 17:50:54 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tdYgl-00Cgcl-LI
	for pgsql-general@arkaria.postgresql.org; Thu, 30 Jan 2025 17:50:51 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tdYgl-00Cgcb-AG
	for pgsql-general@lists.postgresql.org; Thu, 30 Jan 2025 17:50:51 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tdYgi-002KKw-2v
	for pgsql-general@lists.postgresql.org;
	Thu, 30 Jan 2025 17:50:50 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 50UHomM73294023;
	Thu, 30 Jan 2025 12:50:48 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>
cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
In-reply-to: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
Comments: In-reply-to "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>
	message dated "Thu, 30 Jan 2025 17:21:02 +0000"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3294021.1738259448.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Thu, 30 Jan 2025 12:50:48 -0500
Message-ID: <3294022.1738259448@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/3294022.1738259448%40sss.pgh.pa.us>
Precedence: bulk

"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> However, one client also configured some client certificates + "sslmode=3D=
prefer" which resulted in "could not accept ssl connection tlsv1 alert unk=
nown ca".

I'm no expert, but I think this typically means a missing or untrusted
intermediate certificate, that is no chain of trust to one of the
certs that your OpenSSL considers trusted.

> I always thought that Postgres does only validate certificates with "ssl=
mode=3Dverify-ca" and "sslmode=3Dverify-full" =3D> https://www.postgresql.=
org/docs/current/libpq-ssl.html

Those cause some additional checks to be made, but it's not like
you can expect a completely broken certificate to work without them.

			regards, tom lane