Re: Re: could not accept ssl connection tlsv1 alert unknown ca

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Zwettler Markus (OIZ) <[email protected]>
To: Tom Lane <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
Date: Fri, 31 Jan 2025 08:57:40 +0000
Message-ID: <GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <[email protected]>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>

> Von: Tom Lane <[email protected]>
> Gesendet: Donnerstag, 30. Januar 2025 18:51
> An: Zwettler Markus (OIZ) <[email protected]>
> Cc: [email protected]
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> "Zwettler Markus (OIZ)" <[email protected]> writes:
> > However, one client also configured some client certificates + "sslmode=prefer"
> which resulted in "could not accept ssl connection tlsv1 alert unknown ca".
> 
> I'm no expert, but I think this typically means a missing or untrusted intermediate
> certificate, that is no chain of trust to one of the certs that your OpenSSL
> considers trusted.
> 
> > I always thought that Postgres does only validate certificates with
> > "sslmode=verify-ca" and "sslmode=verify-full" =>
> > https://www.postgresql.org/docs/current/libpq-ssl.html
> 
> Those cause some additional checks to be made, but it's not like you can expect a
> completely broken certificate to work without them.
> 
>                         regards, tom lane



I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not.

A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates.

At least that's what I read in the documentation. No?

Regards, Markus

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
  In-Reply-To: <GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox