> Von: Tom Lane <tgl@sss.pgh.pa.us>
> Gesendet: Donnerstag, 30. Januar 2025 18:51
> An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch>
> Cc: pgsql-general@lists.postgresql.org
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
>
> "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> > However, one client also configured some client certificates + "sslmode=prefer"
> which resulted in "could not accept ssl connection tlsv1 alert unknown ca".
>
> I'm no expert, but I think this typically means a missing or untrusted intermediate
> certificate, that is no chain of trust to one of the certs that your OpenSSL
> considers trusted.
>
> > I always thought that Postgres does only validate certificates with
> > "sslmode=verify-ca" and "sslmode=verify-full" =>
> > https://www.postgresql.org/docs/current/libpq-ssl.html
>
> Those cause some additional checks to be made, but it's not like you can expect a
> completely broken certificate to work without them.
>
> regards, tom lane
I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore
everypresented client certificate here. Regardless of whether it is trusted or not.
A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here
shouldPostgres refuse a connection with non-trusted certificates.
At least that's what I read in the documentation. No?
Regards, Markus
