On Tue, Dec 21, 2004 at 07:06:00PM -0800, Joshua D. Drake wrote:
> The clients connecting remotely... do they support SSL? It looks
> like to me that you have ssl enabled. I would check the pg_hba.conf
> and the postgresql.conf for your ssl configuration.
Was there a change affecting client certificate handling a couple
of months ago? I recall SSL connections not working after one of
the updates I did. I could be misremembering, but I think the
problem was that the presence of $PGDATA/root.crt caused the backend
to require a client certificate, whereas before the update that
wasn't happening -- a client without a certificate could connect
as long as it spoke SSL and otherwise satisfied pg_hba.conf. The
solution was either to create a client certificate or to remove
$PGDATA/root.crt.
Hmmm...let's do a little test...
I have a server running 7.4.6 and 8.0.0rc2. Both have root.crt,
server.crt, and server.key; both have "ssl = true" in postgresql.conf;
and both have a "hostssl" line in pg_hba.conf to force SSL for
remote clients.
I have a remote client running 8.0.0rc2. I'll connect to each
server twice, once with a client certificate and once without
(the certificate is in $HOME/.postgresql/postgresql.{crt,key}):
1. Connect to 7.4.6 with certificate: success
2. Connect to 8.0.0rc2 with certificate: success
Now I'll remove the certificate files and attempt the connections
again:
3. Connect to 7.4.6 without certificate: success
4. Connect to 8.0.0rc2 without certificate: failure
For the failure in (4), the client gave the following error:
psql: could not open certificate file "/.../.postgresql/postgresql.crt": No such file or directory
The 8.0.0rc2 server logged the following:
could not accept SSL connection: peer did not return a certificate
The backend's behavior regarding client certificates when root.crt
exists appears to have changed between the 7.4 branch and the latest
8.0 release candidate. If I remember correctly, 8.0 behaved as 7.4
does (client certificates not required even when root.crt exists)
until a couple of months ago. Was that change intentional or
accidental?
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/