Do you have any documents to implement SSL over Postgres? i am looking for this and this thread is very helpful for me
On Wed, Oct 19, 2022 at 10:47 AM Jeff Janes <jeff.janes@xxxxxxxxx> wrote:
On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz@xxxxxxxxxxxxx> wrote:This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?Did you reload the server configurations after changing the file? What is the address of that non-local host, as seen by the server? (you can check the first with `select * from pg_hba_file_rules`, and second with `select client_addr from pg_stat_activity where pid=pg_backend_pid();`
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.0.0.0/8 md5
host all all 172.16.0.0/12 md5
hostssl all all all md5 clientcert=verify-caAlso when I require SSL on the client it allows SSL connections without a CA signed cert which I thought clientcert=verify-ca in this pg_hba should require.No, clientcert=verify-ca forces the server to check the client's certificate. Forcing the client to check the server's certificate must be done on the client end. (And of course if you are not connecting via that line of the pg_hba, then that setting doesn't do anything.)Cheers,Jeff
