If we provide the CRL then the CRL will be referred and the connection might not go through but the CRL takes atleast 12 hours to reflect the expired certificate.
We wanted to understand if the connection can be rejected based on the 'Expiry date' in the server certificate even without referring the CRL?
Thanks,
Nikhil
On Thu, Jun 1, 2023 at 9:57 PM Nikhil Shetty <nikhil.dba04@xxxxxxxxx> wrote:
Hi Tom,We are using verify-full on both client and server.Server Side pg_hba.confhostssl all <user> <ip> cert clientcert=1
Server Side SSL
postgres=# show ssl_cert_file ;
ssl_cert_file
--------------------------------------
/data/server.cert
postgres=# show ssl_ca_file ;
ssl_ca_file
---------------------------------------------
/data/ca-cert.pem
postgres=# show ssl_key_file ;
ssl_key_file
-------------------------------------
/data/server.key
Client side SSL
export PGSSLROOTCERT="ca.pem"
export PGSSLMODE="verify-full"
export PGSSLCERT="cert.pem"
export PGSSLKEY="cert.key"
Thanks,
Nikhil
On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:Nikhil Shetty <nikhil.dba04@xxxxxxxxx> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.
> 1. Doesn't postgres check the expiry date of the certificate?
Postgres does not. The openssl library can. The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.
regards, tom lane
