Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tdu1P-00AWVU-Im for pgsql-general@arkaria.postgresql.org; Fri, 31 Jan 2025 16:37:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tdu1O-001cmR-0d for pgsql-general@arkaria.postgresql.org; Fri, 31 Jan 2025 16:37:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tdu1M-001cmJ-O1 for pgsql-general@lists.postgresql.org; Fri, 31 Jan 2025 16:37:33 +0000 Received: from fhigh-a6-smtp.messagingengine.com ([103.168.172.157]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tdu1J-002Z2F-0E for pgsql-general@lists.postgresql.org; Fri, 31 Jan 2025 16:37:32 +0000 Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.phl.internal (Postfix) with ESMTP id 76DBC11400BC; Fri, 31 Jan 2025 11:37:27 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-01.internal (MEProxy); Fri, 31 Jan 2025 11:37:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1738341447; x=1738427847; bh=64qMtR1eSPOyPbws9jCh25AOAKLjnLPCQiPxbxNxlKs=; b= luebcsxueQudmi1LrKRtp7bx+Us0Z+L9Wuy0FDQxo9qCOAr4LnAKLoyGhHTNfLyI g2cnOJscU7oWCi5t4MmxjQfVhynWa4kBk3uq0Y0GfZkFia3FVtaS3jsPdUpTYB2f h/pqH9BlWn0NOOwTALFxZ2CDknW9+N+czHQ9PTTsuw0nCQZ5ztAzuUyQwJHqcpt4 wgwyrUWCidl3GpLy/ioWhwfOQ/6cnO+2v3EBoKvdi+BoAWIPmvzdAoxk2gjkZJcT 2iRjYgULTiqdbndfqntQFIKJjd4uBPaJw/Rxr45xID9fhXNA+0CGWnEKNRwbXGqy SkaSinE737O+23F4yddmrA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1738341447; x=1738427847; bh=6 4qMtR1eSPOyPbws9jCh25AOAKLjnLPCQiPxbxNxlKs=; b=LH4nFOJAZ+Mnr1/uy CDsiQCLkgsAiBD5l5cEU6j1WgT2/2Hgq2uSlLcv2fgjIc901Kj0Lhz1B0MRdYPLg sMh9nQvIsRV0fAPoN7F5gHnzt68FoDls85Ise3PZ/QSHaT2UkL1lmKqNUpfZsdIY 2FxpNNEDvjvyxIk4BIpsjK9ZBXgHOZXX97vyonjzaO20Al7XyFlr9ga1DkfcF6VD lL+znCNWqr1AwU3oXrNWlsIEFQJe/a+5tF7hC0uiuV0ewKViqEGlRDFiOrWlUvJj qy60iFszV4YGmqx4TS2RD/6nPa7ThlWAs/VRQ0guH8Vbx0s/YrTh6Y4P7GPspLvr b5HiA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdelvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttddvjeen ucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrse grkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeffleegieefgfevudehtdfh keeutdffjeevgeffgeejvedthefgudeiteefheejheenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhl rghvvghrrdgtohhmpdhnsggprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprh gtphhtthhopehmrghrkhhushdriiifvghtthhlvghrseiiuhgvrhhitghhrdgthhdprhgt phhtthhopehtghhlsehsshhsrdhpghhhrdhprgdruhhspdhrtghpthhtohepphhgshhqlh dqghgvnhgvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 31 Jan 2025 11:37:25 -0500 (EST) Message-ID: Date: Fri, 31 Jan 2025 08:37:24 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: could not accept ssl connection tlsv1 alert unknown ca To: "Zwettler Markus (OIZ)" , Tom Lane , "pgsql-general@lists.postgresql.org" References: <3294022.1738259448@sss.pgh.pa.us> Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: >> Von: Tom Lane >> Those cause some additional checks to be made, but it's not like you can expect a >> completely broken certificate to work without them. >> >> regards, tom lane > > > > I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not. What are the relevant lines in pg_hba.conf? > > A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates. > > At least that's what I read in the documentation. No? > > Regards, Markus > -- Adrian Klaver adrian.klaver@aklaver.com