| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
| Cc: | Israel Barth Rubio <barthisrael(at)gmail(dot)com>, Jim Jones <jim(dot)jones(at)uni-muenster(dot)de>, Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
| Date: | 2023-01-30 21:01:29 |
| Message-ID: | CAAWbhmggtiMRPkY45Jr=fBinO1BmaosRakmHAcdXNoDrvOrk2Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jan 27, 2023 at 12:13 PM Cary Huang <cary(dot)huang(at)highgo(dot)ca> wrote:
> > (Eventually I'd like to teach the server not to ask for a client
> > certificate if it's not going to use it.)
>
> If clientcert is not requested by the server, but yet the client still
> sends the certificate, the server will still verify it. This is the case
> in this discussion.
I think this is maybe conflating the application-level behavior with
the protocol-level behavior. A client certificate is requested by the
server if ssl_ca_file is set, whether clientcert is set in the HBA or
not. It's this disconnect between the intuitive behavior and the
actual behavior that I'd like to eventually improve.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-01-30 21:01:51 | Re: MacOS: xsltproc fails with "warning: failed to load external entity" |
| Previous Message | Melanie Plageman | 2023-01-30 20:57:34 | Re: heapgettup() with NoMovementScanDirection unused in core? |