[pgpool-hackers: 3488] Re: Cert auth in Pgpool-II
Tatsuo Ishii
ishii at sraoss.co.jp
Wed Jan 8 22:53:17 JST 2020
Hi Usama,
Thank you for looking into this. However I am not sure if fixing this
is worth the trouble because I don't know any use case for
clientcert=verify-ca. Do you have any idea?
> Hi Ishii-San
>
> Thanks for the confirmation, I am looking into this and will update with
> the findings and possible fix
>
> Thanks
> Best regards
> Muhammad Usama
>
>
> On Wed, Jan 8, 2020 at 6:28 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>
>> > Hi Usama,
>> >
>> > Pgpool-II does support certificate authentication between client and
>> > Pgpool-II but it does not support verify option. i.e. it treats as if
>> > "clientcert=verify-full" in pg_hba.conf.
>>
>> I confirmed this.
>>
>> t-ishii$
>> PGSSLCERT=/home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/tests/024.cert_auth/frontend.crt
>> PGSSLKEY=/home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/tests/024.cert_auth/frontend.key
>> psql --set=sslmode=require -h localhost -p 11000 -U foo test
>>
>> psql: error: could not connect to server: ERROR: CERT authentication
>> failed
>> DETAIL: no valid certificate presented
>> FATAL: client authentication failed
>> DETAIL: no pool_hba.conf entry for host "127.0.0.1", user "foo", database
>> "test", SSL off
>> HINT: see pgpool log for details
>>
>> Best regards,
>> --
>> Tatsuo Ishii
>> SRA OSS, Inc. Japan
>> English: http://www.sraoss.co.jp/index_en.php
>> Japanese:http://www.sraoss.co.jp
>>
More information about the pgpool-hackers
mailing list