"Zwettler Markus (OIZ)" <markus.zwett...@zuerich.ch> writes: > I am playing around with postgres ssl encryption. I am confused about client > certificate authentication:
> <quote> > The second approach combines any authentication method for hostssl entries > with the verification of client certificates by setting the clientcert > authentication option to verify-ca or verify-full. The former option only > enforces that the certificate is valid, while the latter also ensures that > the cn (Common Name) in the certificate matches the user name or an > applicable mapping. > </quote> > https://www.postgresql.org/docs/12/ssl-tcp.html Given that your server is 9.6.x, you're reading the wrong version of the docs. Per https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html the only clientcert value that does anything is "1": In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. When set to 1, this option requires the client to present a valid (trusted) SSL certificate, in addition to the other requirements of the authentication method. regards, tom lane
