|
Home > Archive > PostgreSQL Administration > November 2006 > Client SSL validation using root.crt
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Client SSL validation using root.crt
|
|
| sergio.cinos@info3.com 2006-11-17, 5:23 am |
| Dear list members,
I see a strange behaviour using root.crt. PostgreSQL always waits a
client certificate to check agains root.crt. But I set up a
'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client
certificate. Also fails if line is a 'host'.
Better with an example:
---pg_hba.conf---
hostssl all all 192.168.0.1/32 md5
hostnossl all all 192.168.0.2/32 md5
-----------------
If I connect to PostgresSQL from 192.168.0.1, it fails if I don't
provide a client certificate, it is ok. But if I connect from
192.168.0.2, it also fails becouse I don't send a certificate. But I
declared a non-ssl connection from 192.168.0.2, it should let me
connect to databases, isn'it?
Removing root.crt works as expected. Client in 192.168.0.1 connect
using a SSL connection, and client in 192.168.0.2 connect using a
single connection.
It this behaviour ok? I think not. I want to allow clients on my LAN
access PostgreSQL server without a SSL connection , and require
a client certificate and a SSL connection to clients from outside my LAN.
I think it is not a strange configuration. So the configuration is:
---pg_hba.conf---
hostnossl all all <my-lan-range> md5
hostssl <user> <db> 0.0.0.0/0 md5
-----------------
This fails, because PostgreSQL expect that all clients provide a
client certificate.
Is there any config option to solve this? Is there any page or manual
about PostgreSQL with SSL (more in-deep that
http://www.postgresql.org/docs/8.0/...ve/ssl-tcp.html) ?
Oh, I'm using PostgreSQL 8.0.8 on a Gentoo box. Maybe I have to upgrade
to another version?
Thans you in advance.
--
Sergio Cinos
Info3 Servicios Informáticos S.L.
sergio.cinos@info3.com - www.info3.com
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
| |
| Tom Lane 2006-11-17, 7:14 pm |
| "sergio.cinos@info3.com (IMAP)" <sergio.cinos@info3.com> writes:
> I see a strange behaviour using root.crt. PostgreSQL always waits a
> client certificate to check agains root.crt. But I set up a
> 'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client
> certificate.
If your client first tries to connect with SSL, it seems likely that the
certificate check would occur before we examine pg_hba.conf and decide
to reject the connection on that basis. But your client should then
retry without SSL. See libpq's "sslmode" parameter and PGSSLMODE
environment variable if you want it to try in the other order.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
http://archives.postgresql.org
|
|
|
|
|