Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tdYE5-0082o6-9r for pgsql-general@arkaria.postgresql.org; Thu, 30 Jan 2025 17:21:14 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tdYE3-00CbCV-MP for pgsql-general@arkaria.postgresql.org; Thu, 30 Jan 2025 17:21:11 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tdYE3-00CbCN-0b for pgsql-general@lists.postgresql.org; Thu, 30 Jan 2025 17:21:11 +0000 Received: from mx4.stadt-zuerich.ch ([194.56.33.13]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tdYDy-002KAQ-2g for pgsql-general@lists.postgresql.org; Thu, 30 Jan 2025 17:21:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zuerich.ch; i=@zuerich.ch; l=7801; q=dns/txt; s=zuerichch202311; t=1738257667; x=1769793667; h=from:to:subject:date:message-id:mime-version; bh=uI1k7E2byrMox/Qd98sqZKaZhAmqCn/HAljA7VaaBSI=; b=NN67JvRbU7can+/9UC88sT2poXrESOIBxze++M/LpwUCam0gSH9PP2uX j82A+r5MvXMVmVZ0HzaFsMuiqSkm8Skdse0iB5YpecktZ3oYTkwqeM9vr jWjXCv4UxyBpvu98VAVwFyJ+NwvHU+DlgPQKnLQW4RnSD9Lfoy2PrVsuS dbwBeEtaVOyGogihplhFeqylHzG/hc8wiRZ1xmDvoGVUEBQvTWpaFiiHi DP7cx+WfGPeUdPcgjYQCWeZf3+x93y1yYdFYszOF0TcRgZku75cyIq5FU dDbvAmwJV83p4R/qZSgkpB0jblFcASZWulkuliJslR+G0GDHUlbVXALtw g==; X-CSE-ConnectionGUID: xTB0We08QVKNMICbnCdQVg== X-CSE-MsgGUID: qw2TlrkeSq+Qn9UfDQHDxw== X-IronPort-AV: E=Sophos;i="6.13,246,1732575600"; d="scan'208,217";a="71157066" Received: from unknown (HELO szhm36079.global.szh.loc) ([10.7.49.120]) by mx4.prm.szh.zone with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2025 18:21:04 +0100 Received: from szhm35326.global.szh.loc (10.34.130.222) by szhm36079.global.szh.loc (10.7.49.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 30 Jan 2025 18:21:03 +0100 Received: from szhm35323.global.szh.loc (10.34.130.219) by szhm35326.global.szh.loc (10.34.130.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 30 Jan 2025 18:21:03 +0100 Received: from ZRAP278CU002.outbound.protection.outlook.com (10.7.48.75) by szhm35323.global.szh.loc (10.34.130.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Thu, 30 Jan 2025 18:21:03 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pvl2v52P9RP+hDRtBiDoucXFW3V7fJBCRhyvUmXeh9oia1rcGEBjWl3/75KrxoMc0dWDcdVgXarZOf7i7zSqXdECeXHdFz6VJSWYxQ3n/gBUROgt6sHQip0rAxYr5Zgus0FTqCzSHm42UpgbZgLe62hSXo4u7L2oyVYmi7SrEUZDvH5IhtKzKmEYPZ19HInqaQd6kBRDi0iyeCOuyIEj6kdydPr7ey9Wx7toS/K/woUVE9CHVlWFzQVKSu6rhv3k9WAitRPDaKXAzqiQgmoVVw4C1nUMjn23nXCX0KkUsuUnO81GcwVU+HowGxRVQkrojJeF4UyQIv3uL+Sw3L1TvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uI1k7E2byrMox/Qd98sqZKaZhAmqCn/HAljA7VaaBSI=; b=mFtlL7e8d8Cg0ZScjsUpnUYyStJ4GTtN8tuHCKC4jmyrxW2zwCdJKaVCXpO/g3RbZt4Q1CAw47hWSj4jicfW5Qncp4u552UGGcqhaoAKWA7VbxDhpeTc39sHQ31UhzNyotEAkRijXxlc1gRIyJ4vJYoHww/mgC9FAOSHIJr5lfIldCztW1J8PwRAzp7j7ptl2aSyEXdrS5ZiIKX++eL4+NogDyeR7Q8fessi9fzpsRPK1C8mR//1pmt1X43Nq1dYweGMd+IGBBhoDXgqpMg3HalcYdQtaeyueDoMHvCfcWy0S+FjCsElbCUtCV8mnQHgieujTEDo4QyCTGxH+3DIXQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=zuerich.ch; dmarc=pass action=none header.from=zuerich.ch; dkim=pass header.d=zuerich.ch; arc=none Received: from GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:27::12) by GV0P278MB1704.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:63::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8398.20; Thu, 30 Jan 2025 17:21:02 +0000 Received: from GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM ([fe80::bf73:d490:294c:3df3]) by GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM ([fe80::bf73:d490:294c:3df3%5]) with mapi id 15.20.8398.020; Thu, 30 Jan 2025 17:21:02 +0000 From: "Zwettler Markus (OIZ)" To: "pgsql-general@lists.postgresql.org" Subject: could not accept ssl connection tlsv1 alert unknown ca Thread-Topic: could not accept ssl connection tlsv1 alert unknown ca Thread-Index: AdtzOeiQAAE5GaeeRnim/cC6SDhclQ== Date: Thu, 30 Jan 2025 17:21:02 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=zuerich.ch; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0099:EE_|GV0P278MB1704:EE_ x-ms-office365-filtering-correlation-id: 1de56534-9670-4e40-ebef-08dd415278d9 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|13003099007|38070700018; x-microsoft-antispam-message-info: =?us-ascii?Q?aSZeCWN69GLf72hSt7BqqpZyGQRbXmw4lmaSC7DDkse32ZtQNSV0OCSd1ceo?= =?us-ascii?Q?kYvkfpczQlHMs3XaZQG4x3bUq3rwP80zzHV3qOVjy00Xzm3Hcpk2taerPSKt?= =?us-ascii?Q?Yk8DT1rKE6gRdSz3UZlUz+PBO4SugMRnMnbVRYyWLHsN5HaEwtE6ZquKa16G?= =?us-ascii?Q?gkupF2YKH5Ba2yQQ2YaLbhQnutEs3NQuLg/SloGCpgnSCKfoij8u7NawII+Q?= =?us-ascii?Q?Ti4cNs1YA5St25JoZIwR7jNHgJL/n9X6RQvW9pmLNFpPHpLL6L2gJ0VE2AWb?= =?us-ascii?Q?IGyvpG2s1iyiV2i0ey2OxxAQ8Y3JXJvUwUH+pDCdx/DCtWwcBcYSR8LFvxVA?= =?us-ascii?Q?YSwdnFoep3/Ter/qgvznDB9UgbVQLfEe2ygODkwm6HDO7YLCk3Q0T+/33zHU?= =?us-ascii?Q?0/tXALVNNLISw3R659YL02oNSKQ3eDgrbh3UowrS0uEcz8FVTLqPcPwt1obV?= =?us-ascii?Q?gw0D8C2XWqtIpiNIgr8cJD1R2V7yclDrlA2YiIu5S/Yhq1M1D7o98tDFVgIG?= =?us-ascii?Q?wFw5j+LRRCvl1tQlQK+QPHg0knZqmCgsC0MEpkGqUxf6Q/xJWvmZ2vl11ebH?= =?us-ascii?Q?+6473i0Y/lgBdZWgoh6tYkrd/TwzRCHIG0538swqB+ayeI1QB+p63C6aeXJe?= =?us-ascii?Q?7dpQasrP7oYkcoDOGWL6O2WEYWHZkzeyEVwUvcWehIADZeFscTkhbwIvURE5?= =?us-ascii?Q?LGxPIB6Jb0BKIUDyHjCy0N1ke+hzS7xael+94yTweSV1X6V5GLdxtefQPezd?= =?us-ascii?Q?+6YlKmAl7RBj1L1a2WXfKvXc7oExQGW4mZ8ZOUMPyLIdYt3z3mbuzC7+Jheo?= =?us-ascii?Q?tQcS3D8K0bl620LOArcR6heoAt9xtNBnbkTTGzgiVo4OlJluIKw3jRdY0rns?= =?us-ascii?Q?ewz3pNoYz8aZ3dBESPoc9K6g1QZhHc6m5VH0hHdsXsy9C8xKXthMvqdq19Sz?= =?us-ascii?Q?XuuxLA2u0dBjpZZDNe0Ssfky7ulwo0bt715ovWvW0QPpWBOQl1bveJXg/EBv?= =?us-ascii?Q?xOFuAJVjjDAchXzPc5UuRdhXv4KcLfNUnfL3Lqq1oIzc9CZJTRntHYuMATuu?= =?us-ascii?Q?la1k7OPvWIuLouAC7BtIM0fP5liYmEYvCLifvWT2oOYjMlhxL68nUBTA7hQE?= =?us-ascii?Q?naAPEbLMyvs6ZTdOOW7ErrSzHmxEuLk+KQ0IW9rEU8NXC6PSDm9GOSSaClub?= =?us-ascii?Q?7S7/TO/R2MTCHgUuQ7LaW11FRXpH6R0bSEHBbN3qWaIwVw+9Q3NllhodrEM8?= =?us-ascii?Q?GhVJrf6aMPTQgTidMSjIUVHb/Mn+RkB4blKEW4Cc8Lp6dAUXfoj/k1jhNqfh?= =?us-ascii?Q?dx0VlOeXxpwEXNm4aRUlKWaywE623KXoTKmFG8I7lBtO7Mn5pUJviikjN7s3?= =?us-ascii?Q?A7BW0eiNhpLqfMIMmQlCjMpsLXJP46ZYu1tLTsjNc6JoVM9AHQ=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(13003099007)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?md2MOhJUDwBzbTARBJhkiAEmEgj7FX+Rc/vq+2QJC4QrxbwPzzjaWhLSIylQ?= =?us-ascii?Q?2mm43o+ua7hSa4cBvmj8sm65Y8EBvNOm7hGPlY0XAA5DRBlM7AUyICu+xM+m?= =?us-ascii?Q?OCXC/mUKcNmYKPYfqqBgJsRhGaelPRqIjQlS1J+yeAWKS2CUmhfLXdTOvgF6?= =?us-ascii?Q?hsqfLYtXS6DDE/660QgqFnWEWLegDBtAQvMX40y5cp/kcffEVGbPoabv0jaq?= =?us-ascii?Q?XBMnfiWoM/9Yvu5hZYQll2/UEVdmXaeZWEEUyojV2JKkPZi0lSMGFlN70ygy?= =?us-ascii?Q?NxilpFAg12IqLF3Lxf//zACFCzRhd4+P43j10s6SjNFbf5il2KqYjVihm+Mh?= =?us-ascii?Q?n5afIUOYwoxTg9EYOPoBrrM8XjwaW6Al4h5++yjvfrdZ1JJqL1S/e1s2V6A9?= =?us-ascii?Q?MR3t/cM9D8fR13iLsCiE+ISYbbhNxUmIqw4Np07SaYh0ZpctRxbucVxw2vq0?= =?us-ascii?Q?bHH/1h6wjZtMxM8PF26g8LbvPq2AYUjnAYNToPLs+2m7KEpMsLe2yqUFoleJ?= =?us-ascii?Q?AIpdaVAzABvQHPTgPssbLZ+OuBBWcic0zTIqcUNHWbsB+u/EA6MtSulZvFel?= =?us-ascii?Q?QzlW7UuXSZqEO9lg3yUiVziOMjlkPK4N3mm27xKvxkmhYdxwxnHZUe0nTy0W?= =?us-ascii?Q?TkZxF8+WFk3QFhdgoUpClqmpQIt+ZHdO+XiHVmk5Y6UaDZoFnIdqZavCU47u?= =?us-ascii?Q?2yEQe8PKD4tObO2UfzyUAzWjI8wYP2AUZnjqEFaLAptFcyhXsEUV+1aE0Q6U?= =?us-ascii?Q?1j/Z2v0LBfQIwXJk5s0sA/q3kxIDr0/M2+OauQqE0a/kIbWGvNGqAPtDuENd?= =?us-ascii?Q?0uQ2fqtPdcTmsyopjPb7EZf5zwHgI5hWHeiKIKktJi0BCfEVMZUu03GtRY8q?= =?us-ascii?Q?Sv+3/pujjkHUri+g6wJHUftRQgSxYD7tGDubCDVQGkyLtiCgU1Kv7KprJPsi?= =?us-ascii?Q?JknAq+a5AibLtTPRKN9J/5+uqYRqi32iP4Ous20tWiMvRqyH9m25ZRpwKuaE?= =?us-ascii?Q?Y54lZD2QeS2DYjQCQKsCPrSSWbnRez+hk4zVWjqUxAHDDZ+qnmOW4NJppvEQ?= =?us-ascii?Q?7pHS1wu7gQHlBLA2afAdFSM6YpSk+tWJbCRkdpRFy4oBged5QMwSfkOQWt5X?= =?us-ascii?Q?k/Kp9TagVI6S5+Yxat1OjqzNu2b/NvuZlIo/MduW297zj98wSNW+hQYVZ2Ym?= =?us-ascii?Q?h+H15tLUH0mexu8K23jwxvNh3VHrjhbcN41Jkjl/en9U80IxOA1yrVDZgFXX?= =?us-ascii?Q?C18pvXzUBXu+II3UBu7Pe6DVbNdvpKnRrkdLhyMYFeeeWK2JojsD1G/PcHOa?= =?us-ascii?Q?1yQ5a1g3bwc07m8WjnvT403PwCgIjKLlmF1e/C76uRJUyV4C6lCrVgsRnYsV?= =?us-ascii?Q?xlUpvy4vo04rVh2x0jmEeM9DyW70tEx+OzSCv44ZJAg1fwnsDILHwoU+YGop?= =?us-ascii?Q?gFpuEf6CCPl+gq8V8R9/5TM887OdGA55ajV4qu9MTFZ1Mm8WuEQau0uWYQRk?= =?us-ascii?Q?5ATWdUvWEZ7AqawDmfLmefpCsDaTzE4xu9+mllN/wjeLSv768SzYI4kixxKT?= =?us-ascii?Q?N9WQtjhhYqzRAVrzwZGQHsVjx+X/YtePuXS9u66L?= Content-Type: multipart/alternative; boundary="_000_GV0P278MB0099D57F417CC2985E16BDBB8BE92GV0P278MB0099CHEP_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 1de56534-9670-4e40-ebef-08dd415278d9 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2025 17:21:02.6841 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9f489fcc-e452-4509-8234-6f97b42d0117 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /Mau230KSEoVhi+xmZ5rY8FkNz/rWwkmx1KYBbeQ10dNn/X4SSgeTpBZtR7WiZ143woyot/LBtF3Bl8DI/QyKnFIzthgoyoMT46ak91iQsA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV0P278MB1704 X-OriginatorOrg: zuerich.ch List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --_000_GV0P278MB0099D57F417CC2985E16BDBB8BE92GV0P278MB0099CHEP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We wanted to use pure ssl encryption without certificate validation. We created and configured self-signed certificates at the postgres server, = turned "sslmode=3Don" and advised our clients to use "sslmode=3Dprefer". Th= is worked very well. However, one client also configured some client certificates + "sslmode=3Dp= refer" which resulted in "could not accept ssl connection tlsv1 alert unkno= wn ca". I always thought that Postgres does only validate certificates with "sslmod= e=3Dverify-ca" and "sslmode=3Dverify-full" =3D> https://www.postgresql.org/= docs/current/libpq-ssl.html Did I get something wrong? --_000_GV0P278MB0099D57F417CC2985E16BDBB8BE92GV0P278MB0099CHEP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We wanted to use pure ssl encryption without certificate val= idation.

 

We created and configured self-signed certificates at the po= stgres server, turned "sslmode=3Don" and advised our clients to u= se "sslmode=3Dprefer". This worked very well.

 

However, one client also configured some client certificates= + "sslmode=3Dprefer" which resulted in "could not accept ss= l connection tlsv1 alert unknown ca".

 

I always thought that Postgres does only validate certificat= es with "sslmode=3Dverify-ca" and "sslmode=3Dverify-full&quo= t; =3D> https://= www.postgresql.org/docs/current/libpq-ssl.html

 

Did I get something wrong?

 

 

--_000_GV0P278MB0099D57F417CC2985E16BDBB8BE92GV0P278MB0099CHEP_--