> -----Ursprüngliche Nachricht----- > Von: Adrian Klaver <adrian.klaver@xxxxxxxxxxx> > Gesendet: Freitag, 31. Januar 2025 17:37 > An: Zwettler Markus (OIZ) <Markus.Zwettler@xxxxxxxxxx>; Tom Lane > <tgl@xxxxxxxxxxxxx>; pgsql-general@xxxxxxxxxxxxxxxxxxxx > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: > >> Von: Tom Lane <tgl@xxxxxxxxxxxxx> > > >> Those cause some additional checks to be made, but it's not like you > >> can expect a completely broken certificate to work without them. > >> > >> regards, tom lane > > > > > > > > I don't understand why Postgres does a certificate validation with > “sslmode=prefer”. Postgres should simply ignore every presented client certificate > here. Regardless of whether it is trusted or not. > > What are the relevant lines in pg_hba.conf? > > > > > A certificate validation should only take place in the modes “sslmode=verify-ca” > and “ssmode=verify-full”. Only here should Postgres refuse a connection with non- > trusted certificates. > > > > At least that's what I read in the documentation. No? > > > > Regards, Markus > > > > -- > Adrian Klaver > adrian.klaver@xxxxxxxxxxx > bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl all all all md5
