From: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
---|---|
To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Israel Barth Rubio <barthisrael(at)gmail(dot)com>, Jacob Champion <jchampion(at)timescale(dot)com> |
Cc: | Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
Date: | 2023-01-29 13:02:18 |
Message-ID: | 960f89e0-bc63-8a22-5f3d-a977228c1264@uni-muenster.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 27.01.23 21:13, Cary Huang wrote:
> I agree that it is a more elegant approach to add
> "sslcertmode=disable" on the client side to prevent sending default
> certificate.
>
> But, if the server does request clientcert but client uses
> "sslcertmode=disable" to connect and not give a certificate, it would
> also result in authentication failure. In this case, we actually would
> want to ignore "sslcertmode=disable" and send default certificates if
> found.
Those are all very good points.
> But, if the server does request clientcert but client uses
"sslcertmode=disable" to connect and not give a certificate, it would
also result in authentication failure. In this case, we actually would
want to ignore "sslcertmode=disable" and send default certificates if
found.
I'm just wondering if this is really necessary. If the server asks for a
certificate and the user explicitly says "I don't want to send it",
shouldn't it be ok for the server return an authentication failure? I
mean, wouldn't it defeat the purpose of "sslcertmode=disable"? Although
it might be indeed quite handy I'm not sure how I feel about explicitly
telling the client to not send a certificate and having it being sent
anyway :)
Best, Jim
From | Date | Subject | |
---|---|---|---|
Next Message | Dmitry Dolgov | 2023-01-29 13:32:19 | Re: pg_stat_statements and "IN" conditions |
Previous Message | Marcos Pegoraro | 2023-01-29 12:56:02 | Re: pg_stat_statements and "IN" conditions |