Re: proper pg_hba config to require ssl from non-local/private ips

Поиск
Список
Период
Сортировка
От Jeff Janes
Тема Re: proper pg_hba config to require ssl from non-local/private ips
Дата
Msg-id CAMkU=1w4terLtcWHm2gZXO92pB69UdFZdeyvSoLBAiS3A_9B2Q@mail.gmail.com
обсуждение исходный текст
Ответ на Re: proper pg_hba config to require ssl from non-local/private ips  (Matthew Lenz <mlenz@nocturnal.org>)
Список pgsql-admin
Дерево обсуждения
On Wed, Oct 19, 2022 at 12:29 PM Matthew Lenz <mlenz@nocturnal.org> wrote:
On Wed, Oct 19, 2022 at 10:47 AM Jeff Janes <jeff.janes@gmail.com> wrote:

No, clientcert=verify-ca forces the server to check the client's certificate.  Forcing the client to check the server's certificate must be done on the client end.  (And of course if you are not connecting via that line of the pg_hba, then that setting doesn't do anything.)


I didn't say the client was meant to enforce it.  I meant the server should be enforcing it (it's not).

Well, if it isn't enforcing ssl in the first place, it certainly can't be enforcing clientcert.  Worry about making sure your current version of pg_hba is actually in use first, then the clientcert issue should take care of itself.  You still can't start debugging the one (in the unlikely event it still needs debugging) until after you fix the other.

Cheers,

Jeff

В списке pgsql-admin по дате отправления:

Предыдущее
От: Scott Ribe
Дата:
Сообщение: Re: proper pg_hba config to require ssl from non-local/private ips
Следующее
От: jagjit singh
Дата:
Сообщение: Re: proper pg_hba config to require ssl from non-local/private ips