Hi all,
I am playing around with postgres ssl encryption. I am confused about client certificate authentication:
<quote>
The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. The former option only enforces that the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matches the user name or an applicable mapping.
</quote>
https://www.postgresql.org/docs/12/ssl-tcp.html
I tried both configurations within my pg_hba.conf, one after another:
hostssl all all 0.0.0.0/0 md5 clientcert=verify-ca
hostssl all all 0.0.0.0/0 md5 clientcert=verify-full
Unfortunately, my postgres server doesn't care about any client certificate.
I can do a SSL connection even without any certificate or wrong certificate on the client side (located in the users home directory).
[tstzwma@tstm27373 ~]$ psql 'host=tstm49004 port=5900 dbname=pcl_l222 user=test'
Password:
psql (10.17, server 9.6.21)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
pcl_l222=>
Any idea?
Thanks, Markus