On 2/3/25 08:09, Adrian Klaver wrote:
On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
Is it possible to configure "clientcert=disable" in pg_hba.conf or
disable the client verification otherwise?
The docs only mention "verify-ca" and "verify-full".
"In addition to the method-specific options listed below, there is a
method-independent authentication option clientcert, which can be
specified in any hostssl record. This option can be set to verify-ca
or verify-full."
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
From what I understand your client has to either not have the client
certificates or create them correctly.
To follow up from here:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/be-secure-openssl.c;h=abf67bb1b2728e6d2cc9851ca71006d2fd0cde54;hb=HEAD
/*
* Always ask for SSL client cert, but don't fail if it's not
* presented. We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
SSL_CTX_set_verify(context,
(SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE),
verify_cb);
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
