Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca

On 2/3/25 08:09, Adrian Klaver wrote:
> On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:

>> Is it possible to configure "clientcert=disable" in pg_hba.conf or 
>> disable the client verification otherwise?
>> The docs only mention "verify-ca" and "verify-full".
>> "In addition to the method-specific options listed below, there is a 
>> method-independent authentication option clientcert, which can be 
>> specified in any hostssl record. This option can be set to verify-ca 
>> or verify-full."
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>>
> 
>  From what I understand your client has to either not have the client 
> certificates or create them correctly.
> 

To follow up from here:


https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/be-secure-openssl.c;h=abf67bb1b2728e6d2cc9851ca71006d2fd0cde54;hb=HEAD

/*
* Always ask for SSL client cert, but don't fail if it's not
* presented.  We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
          SSL_CTX_set_verify(context,
                             (SSL_VERIFY_PEER |
                              SSL_VERIFY_CLIENT_ONCE),
                             verify_cb);

-- 
Adrian Klaver
adrian.klaver@aklaver.com