Re: Question about cert authentication method.

Yes. My question is about the log message. 

Log message in the postmaster says...FATAL: certificate authentication failed for user "test (S114546)"

But certificate authentication should pass because supplied user in the connection request and CN in certificate is same.

It should fail afterwards with message that user "test (S114546)" does not exist.

Thanks,

Dhirendra.

On Fri, Nov 25, 2022 at 9:18 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
>> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log.
>> It says certificate authentication failed  for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request.
>> So certificate authentication should pass. It should fail afterwards.

> Well, "test" is different from "test (S114546)", so what do you expect?

I think the OP is complaining about the message contents, not the
fact of the failure.  However, it's intentional that the message sent
to the client is vague about the exact cause of an authentication
failure.  Otherwise we might be giving aid to a blackhat trying to
break into the server.  The postmaster log is supposed to be more
specific, and it looks to me like what's in the log is accurate.

                        regards, tom lane