| From: | Chris Bandy <bandy(dot)chris(at)gmail(dot)com> |
|---|---|
| To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Documentation bug related to client authentication using TLS certificate |
| Date: | 2020-03-03 03:23:37 |
| Message-ID: | 6ecb3825-ac9a-e1c0-9324-29cb771f65e9@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi, Cary.
On 3/2/20 1:06 PM, Cary Huang wrote:
> Hi
>
> I found a document bug about client authentication using TLS
> certificate. When clientcert authentication is enabled in pg_hba.conf,
> libpq does not verify that the *common name*in certificate
> matches*database username*like it is described in the documentation
> before allowing client connection.
>
> Instead, when sslmode is set to “verify-full”, libpq will verify if the
> *server host name*matches the *common name *in client certificate.
This sounds incorrect. My understanding is that the *server* host name
is always matched with the *server* common name.
When
> sslmode is set to “verify-ca”, libpq will verify that the client is
> trustworthy by checking the certificate trust chain up to the root
> certificate and it does not verify *server hostname*and
> certificate*common name *match in this case.
Similarly, libpq will verify the *server* is trustworthy by checking the
*server* certificate up to the root. It does not verify that the host
name matches the common name in the *server* certificate.
In all cases, libpq is responsible for verifying the *server* is who it
claims to be.
-- Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2020-03-03 03:29:12 | Re: First WAL segment file that initdb creates |
| Previous Message | Tom Lane | 2020-03-03 03:22:04 | Re: Symbolic names for the values of typalign and typstorage |