Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist

On 27.01.23 21:13, Cary Huang wrote:

> I agree that it is a more elegant approach to add
> "sslcertmode=disable" on the client side to prevent sending default
> certificate.
>
> But, if the server does request clientcert but client uses
> "sslcertmode=disable" to connect and not give a certificate, it would
> also result in authentication failure. In this case, we actually would
> want to ignore "sslcertmode=disable" and send default certificates if
> found.

Those are all very good points.

> But, if the server does request clientcert but client uses
"sslcertmode=disable" to connect and not give a certificate, it would
also result in authentication failure. In this case, we actually would
want to ignore "sslcertmode=disable" and send default certificates if
found.

I'm just wondering if this is really necessary. If the server asks for a
certificate and the user explicitly says "I don't want to send it",
shouldn't it be ok for the server return an authentication failure? I
mean, wouldn't it defeat the purpose of "sslcertmode=disable"? Although
it might be indeed quite handy I'm not sure how I feel about explicitly
telling the client to not send a certificate and having it being sent
anyway :)

Best, Jim