[pgpool-hackers: 2987] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Fri Aug 24 12:58:05 JST 2018

> Hi,
> On 08/14/2018 02:04 PM, Jesper Pedersen wrote:
>> Could you expand a bit on this ?
>> I have
>> pg_hba.conf:
>> ------------
>> hostssl  all  all  all  scram-sha-256 clientcert=1
>> so clients, in this case pgpool, require a certificate to connect.
>> However, in pgpool.conf I see
>> * ssl
>> * ssl_key
>> * ssl_cert
>> * ssl_ca_cert
>> which are "server" side configuration. We need a ssl_client_cert
>> option, right ?
>> At the moment I get:
>> ERROR:  failed to authenticate
>> DETAIL:  connection requires a valid client certificate
>> psql works (-p 5432) through the implicit ~/.postgresql defaults.
>> The goal is to have SCRAM-SHA256 with SSL client certificate
>> authentication in the entire stack: client <-> pgpool <-> PostgreSQL.

I am a little bit confused. In my understanding SSL certificate
authentication does not require password authentication including
SCRAM auth.

From PostgreSQL manual (see the last sentence).
20.3.9. Certificate Authentication

This authentication method uses SSL client certificates to perform
authentication. It is therefore only available for SSL
connections. When using this authentication method, the server will
require that the client provide a valid, trusted certificate. No
password prompt will be sent to the client.

Best regards,
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php

More information about the pgpool-hackers mailing list