Server: 7.4.8 on Red Hat EL4. Client psql 8.0.3 on WinXP. Using a
test server.crt and server.key, as described in 8.0 docs 16.8, I can
activate SSL encryption (WinXP 8.0.3 psql reports SSL Connection
at connect), and as expected, the server log reports that root.crt
is not found. If I copy server.crt to root.crt and start up server
again, the missing root.crt message disappears. But I can still
connect with psql with no postgresql.crt on client (docs
27.13). Apparently, the root.crt, which in this case is a copy of
server.crt, is not interpreted as a CA crt, but how does the server
know? Isn't a CA cert just a self signed crt? Why is there not a
warning that client authentication will not take place, when it
apparently does not? Does the server only check that a root.crt file
is present, and not that is contains valid information?
You really need a separate root CA cert and server key. The server
key should be signed by the root CA, which is self-signed. The root
CA private key should be kept secure somewhere else--the database
server doesn't need access to it.
I just went though the whole exercise of creating a CA and setting up
an app for client cert authentication, so I am reasonably sure the
above is your problem.
For client auth to work, you need:
* Root CA certificate available to both client and server
* Server cert signed by root CA, with CN=server hostname
* Client cert signed by root CA, available to client to present to
server.
-Doug
Thanks for your comments.
I seem to get SSL client authentication to work with a 8.0.3 server on win32
(a client crt needed for connection), but still not with the 7.4.8 server
on Red Hat EL4, even with separate root CA subject and server.crt subject,
as you suggest.
Interestingly, version 8 docs (16.8) mention the root.crt file needed for
client auth, while 7.4 docs do not mention it. Similarly, the 27.13 section
on libpq SSL support in 8 docs is not there in the 7.4 docs. Maybe my problem
is that 7.4.8 doesn't support client authentication? However, that doesn't
fit with the fact that the 7.4.8 server log reports that it will not verify
client certificates if the root.crt file is missing in the server data
directory.
Have I missed some points regarding linux or 7.4 SSL setup? From docs I
understand that I only have to set SSL = true in postgresql.conf to switch
it on (in addition to providing the crt and key files).
KPL
---(end of broadcast)---
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
