Re: Re: could not accept ssl connection tlsv1 alert unknown ca

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Zwettler Markus (OIZ) <[email protected]>
To: Adrian Klaver <[email protected]>
To: Tom Lane <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
Date: Fri, 31 Jan 2025 16:57:54 +0000
Message-ID: <GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <[email protected]>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>

> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <[email protected]>
> Gesendet: Freitag, 31. Januar 2025 17:37
> An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane
> <[email protected]>; [email protected]
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
> >> Von: Tom Lane <[email protected]>
> 
> >> Those cause some additional checks to be made, but it's not like you
> >> can expect a completely broken certificate to work without them.
> >>
> >>                          regards, tom lane
> >
> >
> >
> > I don't understand why Postgres does a certificate validation with
> “sslmode=prefer”. Postgres should simply ignore every presented client certificate
> here. Regardless of whether it is trusted or not.
> 
> What are the relevant lines in pg_hba.conf?
> 
> >
> > A certificate validation should only take place in the modes “sslmode=verify-ca”
> and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-
> trusted certificates.
> >
> > At least that's what I read in the documentation. No?
> >
> > Regards, Markus
> >
> 
> --
> Adrian Klaver
> [email protected]
> 




bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
host all "ccp_monitoring" "::1/128" scram-sha-256
host all "ccp_monitoring" all reject
hostssl all all all md5

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
  In-Reply-To: <GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox