Search Postgresql Archives

Re: could not accept ssl connection tlsv1 alert unknown ca

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:

Von: Tom Lane <tgl@xxxxxxxxxxxxx>



Those cause some additional checks to be made, but it's not like you can expect a
completely broken certificate to work without them.

                         regards, tom lane




I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not.


What are the relevant lines in pg_hba.conf?



A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates.

At least that's what I read in the documentation. No?

Regards, Markus



--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux