Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
| От | Adrian Klaver |
|---|---|
| Тема | Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca |
| Дата | |
| Msg-id | c405c2ba-c0db-453d-909e-d3e893b9d94b@aklaver.com обсуждение исходный текст |
| Ответ на | Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>) |
| Список | pgsql-general |
On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: >> Von: Tom Lane <tgl@sss.pgh.pa.us> >> Those cause some additional checks to be made, but it's not like you can expect a >> completely broken certificate to work without them. >> >> regards, tom lane > > > > I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore everypresented client certificate here. Regardless of whether it is trusted or not. What are the relevant lines in pg_hba.conf? > > A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here shouldPostgres refuse a connection with non-trusted certificates. > > At least that's what I read in the documentation. No? > > Regards, Markus > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: