Re: could not accept ssl connection tlsv1 alert unknown ca

public inbox for [email protected]  
help / color / mirror / Atom feed

Re: could not accept ssl connection tlsv1 alert unknown ca
4+ messages / 2 participants
[nested] [flat]

* Re: could not accept ssl connection tlsv1 alert unknown ca
@ 2025-01-31 16:37 Adrian Klaver <[email protected]>
  2025-01-31 16:57 ` Re: Re: could not accept ssl connection tlsv1 alert unknown ca Zwettler Markus (OIZ) <[email protected]>
  0 siblings, 1 reply; 4+ messages in thread

From: Adrian Klaver @ 2025-01-31 16:37 UTC (permalink / raw)
  To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>

On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
>> Von: Tom Lane <[email protected]>

>> Those cause some additional checks to be made, but it's not like you can expect a
>> completely broken certificate to work without them.
>>
>>                          regards, tom lane
> 
> 
> 
> I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not.

What are the relevant lines in pg_hba.conf?

> 
> A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates.
> 
> At least that's what I read in the documentation. No?
> 
> Regards, Markus
> 

-- 
Adrian Klaver
[email protected]







^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: Re: could not accept ssl connection tlsv1 alert unknown ca
  2025-01-31 16:37 Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
@ 2025-01-31 16:57 ` Zwettler Markus (OIZ) <[email protected]>
  2025-01-31 17:07   ` Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
  0 siblings, 1 reply; 4+ messages in thread

From: Zwettler Markus (OIZ) @ 2025-01-31 16:57 UTC (permalink / raw)
  To: Adrian Klaver <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>

> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <[email protected]>
> Gesendet: Freitag, 31. Januar 2025 17:37
> An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane
> <[email protected]>; [email protected]
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
> >> Von: Tom Lane <[email protected]>
> 
> >> Those cause some additional checks to be made, but it's not like you
> >> can expect a completely broken certificate to work without them.
> >>
> >>                          regards, tom lane
> >
> >
> >
> > I don't understand why Postgres does a certificate validation with
> “sslmode=prefer”. Postgres should simply ignore every presented client certificate
> here. Regardless of whether it is trusted or not.
> 
> What are the relevant lines in pg_hba.conf?
> 
> >
> > A certificate validation should only take place in the modes “sslmode=verify-ca”
> and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-
> trusted certificates.
> >
> > At least that's what I read in the documentation. No?
> >
> > Regards, Markus
> >
> 
> --
> Adrian Klaver
> [email protected]
> 




bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
host all "ccp_monitoring" "::1/128" scram-sha-256
host all "ccp_monitoring" all reject
hostssl all all all md5





^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: could not accept ssl connection tlsv1 alert unknown ca
  2025-01-31 16:37 Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
  2025-01-31 16:57 ` Re: Re: could not accept ssl connection tlsv1 alert unknown ca Zwettler Markus (OIZ) <[email protected]>
@ 2025-01-31 17:07   ` Adrian Klaver <[email protected]>
  2025-02-03 08:37     ` Re: Re: could not accept ssl connection tlsv1 alert unknown ca Zwettler Markus (OIZ) <[email protected]>
  0 siblings, 1 reply; 4+ messages in thread

From: Adrian Klaver @ 2025-01-31 17:07 UTC (permalink / raw)
  To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>

On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:

> bash-4.4$ cat pg_hba.conf
> # Do not edit this file manually!
> # It will be overwritten by Patroni!
> local all "postgres" peer
> hostssl replication "_crunchyrepl" all cert
> hostssl "postgres" "_crunchyrepl" all cert
> host all "_crunchyrepl" all reject
> host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
> host all "ccp_monitoring" "::1/128" scram-sha-256
> host all "ccp_monitoring" all reject
> hostssl all all all md5

 From here:

https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES

"There are two approaches to enforce that users provide a certificate 
during login.

The first approach makes use of the cert authentication method for 
hostssl entries in pg_hba.conf, such that the certificate itself is used 
for authentication while also providing ssl connection security.

[...]

The second approach combines any authentication method for hostssl 
entries with the verification of client certificates by setting the 
clientcert authentication option to verify-ca or verify-full.  ...
"

Is the client having issues trying a connection that matches either of 
the lines below?:

hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert

> 
> 
> 

-- 
Adrian Klaver
[email protected]

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: Re: could not accept ssl connection tlsv1 alert unknown ca
  2025-01-31 16:37 Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
  2025-01-31 16:57 ` Re: Re: could not accept ssl connection tlsv1 alert unknown ca Zwettler Markus (OIZ) <[email protected]>
  2025-01-31 17:07   ` Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
@ 2025-02-03 08:37     ` Zwettler Markus (OIZ) <[email protected]>
  0 siblings, 0 replies; 4+ messages in thread

From: Zwettler Markus (OIZ) @ 2025-02-03 08:37 UTC (permalink / raw)
  To: Adrian Klaver <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>

> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <[email protected]>
> Gesendet: Freitag, 31. Januar 2025 18:07
> An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane
> <[email protected]>; [email protected]
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
> 
> > bash-4.4$ cat pg_hba.conf
> > # Do not edit this file manually!
> > # It will be overwritten by Patroni!
> > local all "postgres" peer
> > hostssl replication "_crunchyrepl" all cert hostssl "postgres"
> > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all
> > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring"
> > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl
> > all all all md5
> 
>  From here:
> 
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> 
> "There are two approaches to enforce that users provide a certificate during login.
> 
> The first approach makes use of the cert authentication method for hostssl entries
> in pg_hba.conf, such that the certificate itself is used for authentication while also
> providing ssl connection security.
> 
> 
> [...]
> 
> The second approach combines any authentication method for hostssl entries with
> the verification of client certificates by setting the clientcert authentication option
> to verify-ca or verify-full.  ...
> "
> 
> Is the client having issues trying a connection that matches either of the lines
> below?:
> 
> replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
> cert
> 
> >
> >
> >
> 
> --
> Adrian Klaver
> [email protected]
> 



No, there are no errors with the lines mentioned. 

The error appears with a connection that matches the last line.



bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert 
hostssl "postgres" "_crunchyrepl" all cert 
host all "_crunchyrepl" all reject 
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 
host all "ccp_monitoring" "::1/128" scram-sha-256 
host all "ccp_monitoring" all reject 
hostssl all all all md5                                     <<== user connection matching this line gives the error





^ permalink  raw  reply  [nested|flat] 4+ messages in thread

end of thread, other threads:[~2025-02-03 08:37 UTC | newest]

Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-01-31 16:37 Re: could not accept ssl connection tlsv1 alert unknown ca Adrian Klaver <[email protected]>
2025-01-31 16:57 ` Zwettler Markus (OIZ) <[email protected]>
2025-01-31 17:07   ` Adrian Klaver <[email protected]>
2025-02-03 08:37     ` Zwettler Markus (OIZ) <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox