Skip site navigation (1) Skip section navigation (2)

Re: [ADMIN] no verification of client certificate?

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Michael Fuhr <mike(at)fuhr(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Ray Stell <stellr(at)cns(dot)vt(dot)edu>, PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>
Subject: Re: [ADMIN] no verification of client certificate?
Date: 2007-03-30 03:44:58
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-adminpgsql-docs
I researched this and found that the documentation was wrong because it
said if the client has a 'root.crt', the server must have a 'root.crt',
when in fact on the server a 'server.crt' is required.  Documentation
updated, and mention of libpq SSL section added to server documentation.

The libpq comment verifies this:

    /* Set up to verify server cert, if root.crt is present */

Doc patch attached.  Backpatched to 8.2.X.


Michael Fuhr wrote:
> On Mon, Mar 26, 2007 at 12:04:21AM -0400, Tom Lane wrote:
> > Well, if it works then why is the OP complaining?
> > 
> > Perhaps there is some non-obvious configuration issue that accounts
> > for the difference between your results and his?
> I don't see in the OP's messages that he's tried the configuration
> I used.  He said he was using the following:
> > > no root.crt in the data dir
> > > no .postgresql/    <--- this is what made me think there was no server verification
> > > server.crt/key in the data dir
> > > pg_hba.conf set to hostssl
> > > PGSSLMODE=required or prefer
> My test configuration looks the same on the server but different
> on the client:
> Server, in $PGDATA
> ==================
> server.key
> server.crt (signed by some CA)
> no root.crt
> Client, in ~/.postgresql
> ========================
> root.crt (for the CA that signed server.crt)
> no postgresql.key or postgresql.crt
> The OP did say that 
> > > When I first looked at the ssl doc, I didn't see any description of
> > > installing the root ca on the client.  This seemed odd.  On my web client,
> > > when I need to verify the server crt, I install the appropriate ca in
> > > the client.
> The "SSL Support" section of the libpq documentation mentions
> installing root.crt on the client:
> "If the file ~/.postgresql/root.crt is present in the user's home
> directory, libpq will use the certificate list stored therein to
> verify the server's certificate.  (On Microsoft Windows the file is
> named %APPDATA%\postgresql\root.crt.)  The SSL connection will fail
> if the server does not present a certificate; therefore, to use
> this feature the server must also have a root.crt file."
> The requirement that the server have a root.crt appears to be
> incorrect, at least in the tests I ran.  Unless somebody can justify
> that statement I'll submit a documentation patch to correct it.
> -- 
> Michael Fuhr
> ---------------------------(end of broadcast)---------------------------
> TIP 7: You can help support the PostgreSQL project by donating at

  Bruce Momjian  <bruce(at)momjian(dot)us>

  + If your life is a hard drive, Christ can be your backup. +

Attachment: /rtmp/diff
Description: text/x-diff (2.7 KB)

In response to

pgsql-docs by date

Next:From: Bruce MomjianDate: 2007-03-30 16:38:46
Subject: Re: [ADMIN] no verification of client certificate?
Previous:From: Michael FuhrDate: 2007-03-26 14:00:04
Subject: Re: no verification of client certificate?

pgsql-admin by date

Next:From: Simon RiggsDate: 2007-03-30 10:30:30
Subject: Re: Recovery/Rollback question
Previous:From: Rajesh Kumar MallahDate: 2007-03-29 19:57:54
Subject: Re: Pls exclude me from the mailing list

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group