Re: postgres ssl client certificate authentification
| От | Tom Lane |
|---|---|
| Тема | Re: postgres ssl client certificate authentification |
| Дата | |
| Msg-id | 959129.1634312968@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | postgres ssl client certificate authentification ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>) |
| Список | pgsql-general |
"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes: > I am playing around with postgres ssl encryption. I am confused about client certificate authentication: > <quote> > The second approach combines any authentication method for hostssl entries with the verification of client certificatesby setting the clientcert authentication option to verify-ca or verify-full. The former option only enforcesthat the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate matchesthe user name or an applicable mapping. > </quote> > https://www.postgresql.org/docs/12/ssl-tcp.html Given that your server is 9.6.x, you're reading the wrong version of the docs. Per https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html the only clientcert value that does anything is "1": In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. When set to 1, this option requires the client to present a valid (trusted) SSL certificate, in addition to the other requirements of the authentication method. regards, tom lane
В списке pgsql-general по дате отправления: