Hi Tom,
We are using verify-full on both client and server.
Server Side pg_hba.conf
hostssl all <user> <ip> cert clientcert=1
Server Side SSL
postgres=# show ssl_cert_file ;
ssl_cert_file
--------------------------------------
/data/server.cert
postgres=# show ssl_ca_file ;
ssl_ca_file
---------------------------------------------
/data/ca-cert.pem
postgres=# show ssl_key_file ;
ssl_key_file
-------------------------------------
/data/server.key
Client side SSL
export PGSSLROOTCERT="ca.pem"
export PGSSLMODE="verify-full"
export PGSSLCERT="cert.pem"
export PGSSLKEY="cert.key"
Thanks,
Nikhil
On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
Nikhil Shetty <nikhil.dba04@xxxxxxxxx> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.
> 1. Doesn't postgres check the expiry date of the certificate?
Postgres does not. The openssl library can. The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.
regards, tom lane
