Re: Question on SSL certificate expiry

Hi Tom,

We are using verify-full on both client and server. 

Server Side pg_hba.conf

hostssl all <user> <ip> cert clientcert=1

Server Side SSL

postgres=# show ssl_cert_file ;

            ssl_cert_file             

--------------------------------------

 /data/server.cert

postgres=# show ssl_ca_file ;

                 ssl_ca_file                 

---------------------------------------------

 /data/ca-cert.pem

postgres=# show ssl_key_file ;

            ssl_key_file             

-------------------------------------

 /data/server.key

Client side SSL

export PGSSLROOTCERT="ca.pem"                                       

export PGSSLMODE="verify-full"                               

export PGSSLCERT="cert.pem"

export PGSSLKEY="cert.key" 

Thanks,

Nikhil

On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Nikhil Shetty <nikhil.dba04@gmail.com> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.

> 1. Doesn't postgres check the expiry date of the certificate?

Postgres does not.  The openssl library can.  The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.

                        regards, tom lane