Skip site navigation (1) Skip section navigation (2)

Re: no verification of client certificate?

From: Michael Fuhr <mike(at)fuhr(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Ray Stell <stellr(at)cns(dot)vt(dot)edu>, pgsql-admin(at)postgresql(dot)org
Subject: Re: no verification of client certificate?
Date: 2007-03-26 05:21:25
Message-ID: 20070326052125.GA6352@winnie.fuhr.org (view raw or flat)
Thread:
Lists: pgsql-adminpgsql-docs
On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> Well, if it works then why is the OP complaining?
> 
> Perhaps there is some non-obvious configuration issue that accounts
> for the difference between your results and his?

I don't see in the OP's messages that he's tried the configuration
I used.  He said he was using the following:

> > no root.crt in the data dir
> > no .postgresql/    <--- this is what made me think there was no server verification
> > server.crt/key in the data dir
> > pg_hba.conf set to hostssl
> > PGSSLMODE=required or prefer

My test configuration looks the same on the server but different
on the client:

Server, in $PGDATA
==================
server.key
server.crt (signed by some CA)
no root.crt

Client, in ~/.postgresql
========================
root.crt (for the CA that signed server.crt)
no postgresql.key or postgresql.crt

The OP did say that 

> > When I first looked at the ssl doc, I didn't see any description of
> > installing the root ca on the client.  This seemed odd.  On my web client,
> > when I need to verify the server crt, I install the appropriate ca in
> > the client.

The "SSL Support" section of the libpq documentation mentions
installing root.crt on the client:

http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html

"If the file ~/.postgresql/root.crt is present in the user's home
directory, libpq will use the certificate list stored therein to
verify the server's certificate.  (On Microsoft Windows the file is
named %APPDATA%\postgresql\root.crt.)  The SSL connection will fail
if the server does not present a certificate; therefore, to use
this feature the server must also have a root.crt file."

The requirement that the server have a root.crt appears to be
incorrect, at least in the tests I ran.  Unless somebody can justify
that statement I'll submit a documentation patch to correct it.

-- 
Michael Fuhr

In response to

Responses

pgsql-docs by date

Next:From: Ray StellDate: 2007-03-26 13:03:53
Subject: Re: no verification of client certificate?
Previous:From: Tom LaneDate: 2007-03-26 04:04:21
Subject: Re: no verification of client certificate?

pgsql-admin by date

Next:From: Sorin N. CiolofanDate: 2007-03-26 12:32:08
Subject: ERROR: out of shared memory
Previous:From: Tom LaneDate: 2007-03-26 04:04:21
Subject: Re: no verification of client certificate?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group