Re: Question on SSL certificate expiry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


If we provide the CRL then the CRL will be referred and the connection might not go through but the CRL takes atleast 12 hours to reflect the expired certificate.

We wanted to understand if the connection can be rejected based on the 'Expiry date' in the server certificate even without referring the CRL? 


On Thu, Jun 1, 2023 at 9:57 PM Nikhil Shetty <nikhil.dba04@xxxxxxxxx> wrote:
Hi Tom,

We are using verify-full on both client and server. 

Server Side pg_hba.conf

hostssl all <user> <ip> cert clientcert=1

Server Side SSL

postgres=# show ssl_cert_file ;




postgres=# show ssl_ca_file ;




postgres=# show ssl_key_file ;




Client side SSL

export PGSSLROOTCERT="ca.pem"                                       

export PGSSLMODE="verify-full"                               

export PGSSLCERT="cert.pem"

export PGSSLKEY="cert.key" 



On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
Nikhil Shetty <nikhil.dba04@xxxxxxxxx> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.

> 1. Doesn't postgres check the expiry date of the certificate?

Postgres does not.  The openssl library can.  The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.

                        regards, tom lane

[Index of Archives]     [Postgresql Home]     [Postgresql General]     [Postgresql Performance]     [Postgresql PHP]     [Postgresql Jobs]     [PHP Users]     [PHP Databases]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Forum]

  Powered by Linux