On Thu, Jun 1, 2023 at 7:40 AM Nikhil Shetty <nikhil.dba04@xxxxxxxxx> wrote:
Hi Team,We were using MTLS to connect to the database. We noticed that even after server certificates expired the client was able to connect to the database.1. Doesn't postgres check the expiry date of the certificate?
I think PostgreSQL doesn't check it, but the ssl library does. And it works for me. After setting the system clock ahead a year (minus 12 hours, because I messed up the am/pm thing), I start getting this on the server side log file:
11863 [unknown] 08P01 2024-06-02 07:38:11.538 EDT LOG: could not accept SSL connection: sslv3 alert certificate expired
It is weird that that message ends up in the server's log file, as it is the client which is doing the rejecting, not the server. So you would think the client would get the details and the server would get the vague conclusion. But it is certainly not the only ssl error reporting oddity I've seen.