Home > mailing lists

Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
Date	January 31, 2023 00:01:29
Msg-id	CAAWbhmggtiMRPkY45Jr=fBinO1BmaosRakmHAcdXNoDrvOrk2Q@mail.gmail.com Whole thread Raw
In response to	Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist (Cary Huang <cary.huang@highgo.ca>)
List	pgsql-hackers

Tree view

On Fri, Jan 27, 2023 at 12:13 PM Cary Huang <cary.huang@highgo.ca> wrote:
> > (Eventually I'd like to teach the server not to ask for a client
> >  certificate if it's not going to use it.)
>
> If clientcert is not requested by the server, but yet the client still
> sends the certificate, the server will still verify it. This is the case
> in this discussion.

I think this is maybe conflating the application-level behavior with
the protocol-level behavior. A client certificate is requested by the
server if ssl_ca_file is set, whether clientcert is set in the HBA or
not. It's this disconnect between the intuitive behavior and the
actual behavior that I'd like to eventually improve.

--Jacob

pgsql-hackers by date:

From: Melanie Plageman
Date: 30 January 2023, 23:57:34
Subject: Re: heapgettup() with NoMovementScanDirection unused in core?

From: Tom Lane
Date: 31 January 2023, 00:01:51
Subject: Re: MacOS: xsltproc fails with "warning: failed to load external entity"

Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist - Mailing list pgsql-hackers

Previous

Next