On Fri, Mar 23, 2007 at 06:01:17PM -0400, Tom Lane wrote:
> Ray Stell <stellr@cns.vt.edu> writes:
> > I was hoping to not have to support client certs. I want
> > encryption and to verify the server, but no to verify the client.
> > Does this work and I've got the config wrong?
>
> Maybe I misunderstand what you want --- doesn't leaving out the
> server's root.crt file do that?
>
It doesn't look like it to me. I hope you can steer me back.
When I first looked at the ssl doc, I didn't see any description of
installing the root ca on the client. This seemed odd. On my web client,
when I need to verify the server crt, I install the appropriate ca in
the client.
Anyway, two permutations of the various config items provided ssl
connections. One was with a client crt and the other was, as you said,
no root crt on the server datadir. The verions without the client cert
was closer to what I was after.
I describe the config here:
no root.crt in the data dir
no .postgresql/ <--- this is what made me think there was no server verification
server.crt/key in the data dir
pg_hba.conf set to hostssl
PGSSLMODE=required or prefer
connect:
--------
$ psql -h serve.vt.edu -p 5437 testdb jira
Password for user jira:
Welcome to psql 8.2.3, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
strace the above connection, it tries/fails to open the client ca :
--------------------------------------------------------------------
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)
stat64("/home/postgresql/.postgresql/root.crt", 0xbfee27d0) = -1 ENOENT (No such file or directory)
So, it looks to me like I get encryption this way, but no server verification. Hope I'm wrong.
Thanks for you help.