Participants
Rejo Oommen
Rejo Oommen
Thomas Guyot
Thomas Guyot
Attachments
Show all attachments
Thread Outline
#1Rejo OommenRejo Oommen
Aug 01, 2022
#2Thomas GuyotThomas Guyotto Rejo Oommen (#1)
Aug 03, 2022
#3Rejo OommenRejo Oommento Thomas Guyot (#2)
Aug 04, 2022
#4Thomas GuyotThomas Guyotto Rejo Oommen (#3)
Aug 04, 2022

Is Client connections via ca.crt only possible?

Started by Rejo Oommenover 3 years ago4 messagesgeneral
Jump to latest
#1Rejo Oommen
Rejo Oommen
rejo.oommen@gmail.com

Requirement is to use only ca.crt and connect to postgres

Server.crt, Server.key and ca.crt are configured at the postgres server for
tls connection.

Connection successful while using
psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt
port=5432’

For clients to connect, can they use only ca.crt and connect to the DB.
Tried and got the below error

psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslrootcert=/tmp/ca.crt port=5432’
psql: error: connection to server at “172.29.21.222”, port 50001 failed:
FATAL: connection requires a valid client certificate

#2Thomas Guyot
Thomas Guyot
tguyot@gmail.com
In reply to: Rejo Oommen (#1)
Re: Is Client connections via ca.crt only possible?

On 2022-08-01 04:12, Rejo Oommen wrote:

Requirement is to use only ca.crt and connect to postgres

Server.crt, Server.key and ca.crt are configured at the postgres
server for tls connection.

Connection successful while using
psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt
port=5432’

For clients to connect, can they use only ca.crt and connect to the
DB. Tried and got the below error

psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslrootcert=/tmp/ca.crt port=5432’
psql: error: connection to server at “172.29.21.222”, port 50001
failed: FATAL:  connection requires a valid client certificate

Hi Rejo,

I don't think you understand fully how mutual TLS auth works. For the
client to authenticate using a certificate, it needs a valid certificate
and key too, where the certificate is signed by a CA your server trusts
(usually the same CA that signed your server cert) and with a proper
subject (that bears the certificate owner's user name, the user you will
use to grant privileges in the database). You shouldn't even need to
pass a username, it will be in the certificate.

I'm talking purely from a generic view, I'm not familiar with any of the
specifics of PostgreSQL configuration but TLS authentication requires a
secret and a CA certificate isn't secret. Your server certificate
authenticates the server, but nothing authenticates the client.

Regards,

--
Thomas

#3Rejo Oommen
Rejo Oommen
rejo.oommen@gmail.com
In reply to: Thomas Guyot (#2)
Re: Is Client connections via ca.crt only possible?

Thank you for the reply Thomas. I agree with you on the mutual TLS that you
mentioned.

Here is what I was looking at.

The configurations at the server end will be with auth-method as md5 and
auth-option as clientcert=verify-ca.

In this way, the user's password along with the valid ca should allow
connections to pass.

Regards,
Rejo

On Thu, 4 Aug 2022, 03:01 Thomas Guyot, <tguyot@gmail.com> wrote:

Show quoted text

On 2022-08-01 04:12, Rejo Oommen wrote:

Requirement is to use only ca.crt and connect to postgres

Server.crt, Server.key and ca.crt are configured at the postgres
server for tls connection.

Connection successful while using
psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt
port=5432’

For clients to connect, can they use only ca.crt and connect to the
DB. Tried and got the below error

psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca
sslrootcert=/tmp/ca.crt port=5432’
psql: error: connection to server at “172.29.21.222”, port 50001
failed: FATAL: connection requires a valid client certificate

Hi Rejo,

I don't think you understand fully how mutual TLS auth works. For the
client to authenticate using a certificate, it needs a valid certificate
and key too, where the certificate is signed by a CA your server trusts
(usually the same CA that signed your server cert) and with a proper
subject (that bears the certificate owner's user name, the user you will
use to grant privileges in the database). You shouldn't even need to
pass a username, it will be in the certificate.

I'm talking purely from a generic view, I'm not familiar with any of the
specifics of PostgreSQL configuration but TLS authentication requires a
secret and a CA certificate isn't secret. Your server certificate
authenticates the server, but nothing authenticates the client.

Regards,

--
Thomas

#4Thomas Guyot
Thomas Guyot
tguyot@gmail.com
In reply to: Rejo Oommen (#3)
Re: Is Client connections via ca.crt only possible?

On 2022-08-03 21:37, Rejo Oommen wrote:

Thank you for the reply Thomas. I agree with you on the mutual TLS
that you mentioned.

Here is what I was looking at.

The configurations at the server end will be with auth-method as md5
and auth-option as clientcert=verify-ca.

There's your issue. If you tell the server to validate the client cert,
then it will require the client to provide a valid cert to identify itself.

In this way, the user's password along with the valid ca should allow
connections to pass.

The ca on your setup is only useful for the client to ensure the server
is the correct one and prevent MITM attacks. This is a client-side
check, not server-side.

The only authentication security here is the password/md5, but protected
from eavesdropping (passive and MITM) and connection hijacking by
encryption, with some of these protections only effective when the
client use the verify-ca option. The server cannot ensure the client is
actually validating the ca, not even that it's taking to the actual
client and not a MITM, simply because the client itself is not
authenticated by mutual TLS.

Regards

--
Thomas

← Back to Topics