Re: [PATCH] Documentation bug related to client authentication usingTLS certificate
| От | Chris Bandy |
|---|---|
| Тема | Re: [PATCH] Documentation bug related to client authentication usingTLS certificate |
| Дата | |
| Msg-id | 6ecb3825-ac9a-e1c0-9324-29cb771f65e9@gmail.com обсуждение исходный текст |
| Ответ на | [PATCH] Documentation bug related to client authentication usingTLS certificate (Cary Huang <cary.huang@highgo.ca>) |
| Ответы |
Re: [PATCH] Documentation bug related to client authenticationusing TLS certificate
|
| Список | pgsql-hackers |
Hi, Cary. On 3/2/20 1:06 PM, Cary Huang wrote: > Hi > > I found a document bug about client authentication using TLS > certificate. When clientcert authentication is enabled in pg_hba.conf, > libpq does not verify that the *common name*in certificate > matches*database username*like it is described in the documentation > before allowing client connection. > > Instead, when sslmode is set to “verify-full”, libpq will verify if the > *server host name*matches the *common name *in client certificate. This sounds incorrect. My understanding is that the *server* host name is always matched with the *server* common name. When > sslmode is set to “verify-ca”, libpq will verify that the client is > trustworthy by checking the certificate trust chain up to the root > certificate and it does not verify *server hostname*and > certificate*common name *match in this case. Similarly, libpq will verify the *server* is trustworthy by checking the *server* certificate up to the root. It does not verify that the host name matches the common name in the *server* certificate. In all cases, libpq is responsible for verifying the *server* is who it claims to be. -- Chris
В списке pgsql-hackers по дате отправления: