Thread: To whom an SSL client crt (postgresql.crt) is issued

To whom an SSL client crt (postgresql.crt) is issued

From
k.p.d.lehre@medisin.uio.no
Date:
Server: pg 8.0.4 on Red Hat Enterprise Linux 4.
Client: psql 8.0.4 on WinXP Pro SP2.
I have a (self-signed) root.crt on the server, and a
%APPDATA%\postgresql\postgresql.crt signed by that root.crt on the client.
I am surprised that it does not seem to matter to whom the postgresql.crt
is issued.
What I experience is not really contradictory to the docs: "... a client
certificate will be requested from the client during SSL connection
startup, and it must have been signed by one of the certificates present
in root.crt". The docs do not mention that the client crt has to be issued
to the user trying to log on. Isn't it a point TO WHOM the client crt is
issued? Is this the way it is meant to be?

Thanks, KP




Re: To whom an SSL client crt (postgresql.crt) is issued

From
Tom Lane
Date:
k.p.d.lehre@medisin.uio.no writes:
> The docs do not mention that the client crt has to be issued
> to the user trying to log on. Isn't it a point TO WHOM the client crt is
> issued? Is this the way it is meant to be?

Restricting that would require assumptions-not-in-evidence about
certificate issuers using names that sync with database user names.
But perhaps more to the point, Postgres does not use SSL certificates
as a user authentication mechanism, only as a transport privacy
mechanism.  Using SSL is not sufficient grounds for deciding you
can use "trust" auth mode.
        regards, tom lane