> Von: Tom Lane <t...@sss.pgh.pa.us> > Gesendet: Donnerstag, 30. Januar 2025 18:51 > An: Zwettler Markus (OIZ) <markus.zwett...@zuerich.ch> > Cc: pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > "Zwettler Markus (OIZ)" <markus.zwett...@zuerich.ch> writes: > > However, one client also configured some client certificates + > > "sslmode=prefer" > which resulted in "could not accept ssl connection tlsv1 alert unknown ca". > > I'm no expert, but I think this typically means a missing or untrusted > intermediate > certificate, that is no chain of trust to one of the certs that your OpenSSL > considers trusted. > > > I always thought that Postgres does only validate certificates with > > "sslmode=verify-ca" and "sslmode=verify-full" => > > https://www.postgresql.org/docs/current/libpq-ssl.html > > Those cause some additional checks to be made, but it's not like you can > expect a > completely broken certificate to work without them. > > regards, tom lane
I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not. A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates. At least that's what I read in the documentation. No? Regards, Markus
