commit e71ea0d0356f5ef2fb4214fc978f835d9fa815f8 Author: Jacob Champion Date: Fri Nov 11 15:55:23 2022 -0800 squash! Add sslcertmode option for client certificates Improve docs, fix comment. diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index c06b0718cf..32c0872eed 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1844,13 +1844,23 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname the server must request a certificate. The - connection will fail if the server authenticates the client despite - not requesting or receiving one. + connection will fail if the client does not send a certificate and + the server successfully authenticates the client anyway. + + + + sslcertmode=require doesn't add any additional + security, since there is no guarantee that the server is validating the + certificate correctly; PostgreSQL servers generally request TLS + certificates from clients whether they validate them or not. The option + may be useful when troubleshooting more complicated TLS setups. + + diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 04fa02af94..241a28a32d 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -482,8 +482,8 @@ verify_cb(int ok, X509_STORE_CTX *ctx) * This callback lets us choose the client certificate we send to the server * after seeing its CertificateRequest. We only support sending a single * hard-coded certificate via sslcert, so we don't actually set any certificates - * here; we just it to record whether or not the server has actually asked for - * one and whether we have one to send. + * here; we just use it to record whether or not the server has actually asked + * for one and whether we have one to send. */ static int cert_cb(SSL *ssl, void *arg)