Re: postgres ssl client certificate authentification - Mailing list pgsql-general

From Tom Lane
Subject Re: postgres ssl client certificate authentification
Date
Msg-id 959129.1634312968@sss.pgh.pa.us
Whole thread Raw
In response to postgres ssl client certificate authentification  ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>)
List pgsql-general
"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> I am playing around with postgres ssl encryption. I am confused about client certificate authentication:

> <quote>
> The second approach combines any authentication method for hostssl entries with the verification of client
certificatesby setting the clientcert authentication option to verify-ca or verify-full. The former option only
enforcesthat the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate
matchesthe user name or an applicable mapping. 
> </quote>
> https://www.postgresql.org/docs/12/ssl-tcp.html

Given that your server is 9.6.x, you're reading the wrong version
of the docs.  Per

https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html

the only clientcert value that does anything is "1":

    In addition to the method-specific options listed below, there is one
    method-independent authentication option clientcert, which can be
    specified in any hostssl record. When set to 1, this option requires
    the client to present a valid (trusted) SSL certificate, in addition
    to the other requirements of the authentication method.

            regards, tom lane



pgsql-general by date:

Previous
From: "Zwettler Markus (OIZ)"
Date:
Subject: postgres ssl client certificate authentification
Next
From: Tom Lane
Date:
Subject: Re: PostgreSQL 14: pg_dump / pg_restore error: could not write to the communication channel: Broken pipe