On 1/31/25 00:57, Zwettler Markus (OIZ) wrote:
Von: Tom Lane <[email protected]>
Those cause some additional checks to be made, but it's not like you can expect a completely broken certificate to work without them. regards, tom laneI don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore every presented client certificate here. Regardless of whether it is trusted or not.
What are the relevant lines in pg_hba.conf?
A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here should Postgres refuse a connection with non-trusted certificates. At least that's what I read in the documentation. No? Regards, Markus
-- Adrian Klaver [email protected]
