> Von: Tom Lane <tgl@xxxxxxxxxxxxx> > Gesendet: Donnerstag, 30. Januar 2025 18:51 > An: Zwettler Markus (OIZ) <Markus.Zwettler@xxxxxxxxxx> > Cc: pgsql-general@xxxxxxxxxxxxxxxxxxxx > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > "Zwettler Markus (OIZ)" <Markus.Zwettler@xxxxxxxxxx> writes: > > However, one client also configured some client certificates + "sslmode=prefer" > which resulted in "could not accept ssl connection tlsv1 alert unknown ca". > > I'm no expert, but I think this typically means a missing or untrusted intermediate > certificate, that is no chain of trust to one of the certs that your OpenSSL > considers trusted. > > > I always thought that Postgres does only validate certificates with > > "sslmode=verify-ca" and "sslmode=verify-full" => > > https://www.postgresql.org/docs/current/libpq-ssl.html > > Those cause some additional checks to be made, but it's not like you can expect a > completely broken certificate to work without them. > > regards, tom lane I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not. A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates. At least that's what I read in the documentation. No? Regards, Markus
