Postgres Pro
Downloads
Home   >   mailing lists

Thread: postgres ssl client certificate authentification

postgres ssl client certificate authentification

From
"Zwettler Markus (OIZ)"
Date:

Hi all,

 

 

I am playing around with postgres ssl encryption. I am confused about client certificate authentication:

 

 

<quote>

The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. The former option only enforces that the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matches the user name or an applicable mapping.

</quote>

https://www.postgresql.org/docs/12/ssl-tcp.html

 

 

I tried both configurations within my pg_hba.conf, one after another:

hostssl   all             all             0.0.0.0/0               md5  clientcert=verify-ca

hostssl   all             all             0.0.0.0/0               md5  clientcert=verify-full

 

 

Unfortunately, my postgres server doesn't care about any client certificate.

I can do a SSL connection even without any certificate or wrong certificate on the client side (located in the users home directory).

 

 

[tstzwma@tstm27373 ~]$ psql 'host=tstm49004 port=5900 dbname=pcl_l222 user=test'

Password:

psql (10.17, server 9.6.21)

SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)

Type "help" for help.

 

pcl_l222=>

 

 

Any idea?

 

 

Thanks, Markus

 

 

Re: postgres ssl client certificate authentification

From
Tom Lane
Date:
"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> I am playing around with postgres ssl encryption. I am confused about client certificate authentication:

> <quote>
> The second approach combines any authentication method for hostssl entries with the verification of client
certificatesby setting the clientcert authentication option to verify-ca or verify-full. The former option only
enforcesthat the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate
matchesthe user name or an applicable mapping. 
> </quote>
> https://www.postgresql.org/docs/12/ssl-tcp.html

Given that your server is 9.6.x, you're reading the wrong version
of the docs.  Per

https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html

the only clientcert value that does anything is "1":

    In addition to the method-specific options listed below, there is one
    method-independent authentication option clientcert, which can be
    specified in any hostssl record. When set to 1, this option requires
    the client to present a valid (trusted) SSL certificate, in addition
    to the other requirements of the authentication method.

            regards, tom lane