public inbox for [email protected]help / color / mirror / Atom feed
Re: could not accept ssl connection tlsv1 alert unknown ca 4+ messages / 2 participants [nested] [flat]
* Re: could not accept ssl connection tlsv1 alert unknown ca @ 2025-01-31 16:37 Adrian Klaver <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Adrian Klaver @ 2025-01-31 16:37 UTC (permalink / raw) To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]> On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: >> Von: Tom Lane <[email protected]> >> Those cause some additional checks to be made, but it's not like you can expect a >> completely broken certificate to work without them. >> >> regards, tom lane > > > > I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not. What are the relevant lines in pg_hba.conf? > > A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates. > > At least that's what I read in the documentation. No? > > Regards, Markus > -- Adrian Klaver [email protected] ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Re: could not accept ssl connection tlsv1 alert unknown ca @ 2025-01-31 16:57 Zwettler Markus (OIZ) <[email protected]> parent: Adrian Klaver <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Zwettler Markus (OIZ) @ 2025-01-31 16:57 UTC (permalink / raw) To: Adrian Klaver <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]> > -----Ursprüngliche Nachricht----- > Von: Adrian Klaver <[email protected]> > Gesendet: Freitag, 31. Januar 2025 17:37 > An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane > <[email protected]>; [email protected] > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: > >> Von: Tom Lane <[email protected]> > > >> Those cause some additional checks to be made, but it's not like you > >> can expect a completely broken certificate to work without them. > >> > >> regards, tom lane > > > > > > > > I don't understand why Postgres does a certificate validation with > “sslmode=prefer”. Postgres should simply ignore every presented client certificate > here. Regardless of whether it is trusted or not. > > What are the relevant lines in pg_hba.conf? > > > > > A certificate validation should only take place in the modes “sslmode=verify-ca” > and “ssmode=verify-full”. Only here should Postgres refuse a connection with non- > trusted certificates. > > > > At least that's what I read in the documentation. No? > > > > Regards, Markus > > > > -- > Adrian Klaver > [email protected] > bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl all all all md5 ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: could not accept ssl connection tlsv1 alert unknown ca @ 2025-01-31 17:07 Adrian Klaver <[email protected]> parent: Zwettler Markus (OIZ) <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Adrian Klaver @ 2025-01-31 17:07 UTC (permalink / raw) To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]> On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > bash-4.4$ cat pg_hba.conf > # Do not edit this file manually! > # It will be overwritten by Patroni! > local all "postgres" peer > hostssl replication "_crunchyrepl" all cert > hostssl "postgres" "_crunchyrepl" all cert > host all "_crunchyrepl" all reject > host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 > host all "ccp_monitoring" "::1/128" scram-sha-256 > host all "ccp_monitoring" all reject > hostssl all all all md5 From here: https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES "There are two approaches to enforce that users provide a certificate during login. The first approach makes use of the cert authentication method for hostssl entries in pg_hba.conf, such that the certificate itself is used for authentication while also providing ssl connection security. [...] The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. ... " Is the client having issues trying a connection that matches either of the lines below?: hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert > > > -- Adrian Klaver [email protected] ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Re: could not accept ssl connection tlsv1 alert unknown ca @ 2025-02-03 08:37 Zwettler Markus (OIZ) <[email protected]> parent: Adrian Klaver <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Zwettler Markus (OIZ) @ 2025-02-03 08:37 UTC (permalink / raw) To: Adrian Klaver <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]> > -----Ursprüngliche Nachricht----- > Von: Adrian Klaver <[email protected]> > Gesendet: Freitag, 31. Januar 2025 18:07 > An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane > <[email protected]>; [email protected] > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > > > bash-4.4$ cat pg_hba.conf > > # Do not edit this file manually! > > # It will be overwritten by Patroni! > > local all "postgres" peer > > hostssl replication "_crunchyrepl" all cert hostssl "postgres" > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl > > all all all md5 > > From here: > > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES > > "There are two approaches to enforce that users provide a certificate during login. > > The first approach makes use of the cert authentication method for hostssl entries > in pg_hba.conf, such that the certificate itself is used for authentication while also > providing ssl connection security. > > > [...] > > The second approach combines any authentication method for hostssl entries with > the verification of client certificates by setting the clientcert authentication option > to verify-ca or verify-full. ... > " > > Is the client having issues trying a connection that matches either of the lines > below?: > > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all > cert > > > > > > > > > -- > Adrian Klaver > [email protected] > No, there are no errors with the lines mentioned. The error appears with a connection that matches the last line. bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl all all all md5 <<== user connection matching this line gives the error ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2025-02-03 08:37 UTC | newest] Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2025-01-31 16:37 Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]> 2025-01-31 16:57 ` Zwettler Markus (OIZ) <[email protected]> 2025-01-31 17:07 ` Adrian Klaver <[email protected]> 2025-02-03 08:37 ` Zwettler Markus (OIZ) <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox