Re: Is Client connections via ca.crt only possible?
| От | Thomas Guyot |
|---|---|
| Тема | Re: Is Client connections via ca.crt only possible? |
| Дата | |
| Msg-id | 2427474d-b5f7-cd8a-c4a9-b6cf36644de0@gmail.com обсуждение исходный текст |
| Ответ на | Is Client connections via ca.crt only possible? (Rejo Oommen <rejo.oommen@gmail.com>) |
| Список | pgsql-general |
On 2022-08-03 21:37, Rejo Oommen wrote: > Thank you for the reply Thomas. I agree with you on the mutual TLS > that you mentioned. > > Here is what I was looking at. > > The configurations at the server end will be with auth-method as md5 > and auth-option as clientcert=verify-ca. > There's your issue. If you tell the server to validate the client cert, then it will require the client to provide a valid cert to identify itself. > In this way, the user's password along with the valid ca should allow > connections to pass. > The ca on your setup is only useful for the client to ensure the server is the correct one and prevent MITM attacks. This is a client-side check, not server-side. The only authentication security here is the password/md5, but protected from eavesdropping (passive and MITM) and connection hijacking by encryption, with some of these protections only effective when the client use the verify-ca option. The server cannot ensure the client is actually validating the ca, not even that it's taking to the actual client and not a MITM, simply because the client itself is not authenticated by mutual TLS. Regards -- Thomas
В списке pgsql-general по дате отправления: