Re: ssl client cert authentication

On Mon, Nov 01, 2010 at 12:46:33PM -0400, Tom Lane wrote:
> Ray Stell <stellr(at)cns(dot)vt(dot)edu> writes:
> > Someone asked about ssl client cert auth recently. I got
> > this to work, but something tripped me up.
>
> > http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html
>
> > states (very clearly, btw) that, "To require the client to supply a
> > trusted certificate, place certificates of the certificate authorities
> > (CAs) you trust in the file root.crt in the data directory." I had
> > ASS-U-MEd that root.crt would go in .postgresql as it does for encryption.
>
> > This begs the question, why two copies of the same file?
>
> The one in ~/.postgresql is for client usage. The one in $PGDATA is for
> the server's use. There's no reason to assume they'd be the same.
>
> regards, tom lane

I think I see where I went off:
31.17. SSL Support
Changing this to:
31.17. Client SSL Support
would be helpful. Also,
31.17.4. SSL File Usage
might be:
31.17.4. SSL Client File Usage
They did this in the server section, so I'm not completely nuts:
17.8.2. SSL Server File Usage

In hindsight it is very clear. Chapter 17 is on the server and 31 is on the
client. Adding those section title words would have helped me stay on
course.

Another way of providing clue would be to add $PGDATA somewhere in Table
17-3. SSL Server File Usage. They did that sort of thing on the client side
in Table 31-4. Libpq/Client SSL File Usage.