Обсуждение: Is Client connections via ca.crt only possible?
Requirement is to use only ca.crt and connect to postgres
Server.crt, Server.key and ca.crt are configured at the postgres server for tls connection.
Connection successful while using
psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt port=5432’
For clients to connect, can they use only ca.crt and connect to the DB. Tried and got the below error
psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca sslrootcert=/tmp/ca.crt port=5432’
psql: error: connection to server at “172.29.21.222”, port 50001 failed: FATAL: connection requires a valid client certificate
On 2022-08-01 04:12, Rejo Oommen wrote: > Requirement is to use only ca.crt and connect to postgres > > Server.crt, Server.key and ca.crt are configured at the postgres > server for tls connection. > > Connection successful while using > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca > sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt > port=5432’ > > For clients to connect, can they use only ca.crt and connect to the > DB. Tried and got the below error > > psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca > sslrootcert=/tmp/ca.crt port=5432’ > psql: error: connection to server at “172.29.21.222”, port 50001 > failed: FATAL: connection requires a valid client certificate > Hi Rejo, I don't think you understand fully how mutual TLS auth works. For the client to authenticate using a certificate, it needs a valid certificate and key too, where the certificate is signed by a CA your server trusts (usually the same CA that signed your server cert) and with a proper subject (that bears the certificate owner's user name, the user you will use to grant privileges in the database). You shouldn't even need to pass a username, it will be in the certificate. I'm talking purely from a generic view, I'm not familiar with any of the specifics of PostgreSQL configuration but TLS authentication requires a secret and a CA certificate isn't secret. Your server certificate authenticates the server, but nothing authenticates the client. Regards, -- Thomas
Thank you for the reply Thomas. I agree with you on the mutual TLS that you mentioned.
Here is what I was looking at.
The configurations at the server end will be with auth-method as md5 and auth-option as clientcert=verify-ca.
In this way, the user's password along with the valid ca should allow connections to pass.
Regards,
Rejo
On Thu, 4 Aug 2022, 03:01 Thomas Guyot, <tguyot@gmail.com> wrote:
On 2022-08-01 04:12, Rejo Oommen wrote:
> Requirement is to use only ca.crt and connect to postgres
>
> Server.crt, Server.key and ca.crt are configured at the postgres
> server for tls connection.
>
> Connection successful while using
> psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
> sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt
> port=5432’
>
> For clients to connect, can they use only ca.crt and connect to the
> DB. Tried and got the below error
>
> psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
> sslrootcert=/tmp/ca.crt port=5432’
> psql: error: connection to server at “172.29.21.222”, port 50001
> failed: FATAL: connection requires a valid client certificate
>
Hi Rejo,
I don't think you understand fully how mutual TLS auth works. For the
client to authenticate using a certificate, it needs a valid certificate
and key too, where the certificate is signed by a CA your server trusts
(usually the same CA that signed your server cert) and with a proper
subject (that bears the certificate owner's user name, the user you will
use to grant privileges in the database). You shouldn't even need to
pass a username, it will be in the certificate.
I'm talking purely from a generic view, I'm not familiar with any of the
specifics of PostgreSQL configuration but TLS authentication requires a
secret and a CA certificate isn't secret. Your server certificate
authenticates the server, but nothing authenticates the client.
Regards,
--
Thomas
On 2022-08-03 21:37, Rejo Oommen wrote: > Thank you for the reply Thomas. I agree with you on the mutual TLS > that you mentioned. > > Here is what I was looking at. > > The configurations at the server end will be with auth-method as md5 > and auth-option as clientcert=verify-ca. > There's your issue. If you tell the server to validate the client cert, then it will require the client to provide a valid cert to identify itself. > In this way, the user's password along with the valid ca should allow > connections to pass. > The ca on your setup is only useful for the client to ensure the server is the correct one and prevent MITM attacks. This is a client-side check, not server-side. The only authentication security here is the password/md5, but protected from eavesdropping (passive and MITM) and connection hijacking by encryption, with some of these protections only effective when the client use the verify-ca option. The server cannot ensure the client is actually validating the ca, not even that it's taking to the actual client and not a MITM, simply because the client itself is not authenticated by mutual TLS. Regards -- Thomas