| From: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com> |
| Cc: | Israel Barth Rubio <barthisrael(at)gmail(dot)com>, Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
| Date: | 2023-01-21 12:35:49 |
| Message-ID: | dc014858-2478-14a5-491d-d63b0d6808e8@uni-muenster.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Jacob,
> I think the sslcertmode=disable option that I introduced in [1]
solves this issue too;
Well, I see there is indeed a significant overlap between our patches -
but yours has a much more comprehensive approach! If I got it right,
the new slcertmode=disable would indeed cancel the existing certs in
'~/.postgresql/ in case they exist. Right?
+ if (conn->sslcertmode[0] == 'd') /* disable */
+ {
+ /* don't send a client cert even if we have one */
+ have_cert = false;
+ }
+ else if (fnbuf[0] == '\0')
My idea was rather to use the existing sslmode with a new option
"no-clientcert" that does actually the same:
/* sslmode no-clientcert */
if (conn->sslmode[0] == 'n')
{
fnbuf[0] = '\0';
}
...
if (fnbuf[0] == '\0')
{
/* no home directory, proceed without a client cert */
have_cert = false;
}
I wish I had found your patchset some months ago. Now I hate myself
for the duplication of efforts :D
What is the status of your patchset?
Cheers
Jim
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2023-01-21 13:26:05 | Re: run pgindent on a regular basis / scripted manner |
| Previous Message | Ted Yu | 2023-01-21 12:33:09 | Re: [Proposal] Add foreign-server health checks infrastructure |