[pgpool-hackers: 2983] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Jesper Pedersen
jesper.pedersen at redhat.com
Thu Aug 23 02:45:51 JST 2018
Hi,
On 08/14/2018 02:04 PM, Jesper Pedersen wrote:
> Could you expand a bit on this ?
>
> I have
>
> pg_hba.conf:
> ------------
> hostssl all all all scram-sha-256 clientcert=1
>
> so clients, in this case pgpool, require a certificate to connect.
>
> However, in pgpool.conf I see
>
> * ssl
> * ssl_key
> * ssl_cert
> * ssl_ca_cert
>
> which are "server" side configuration. We need a ssl_client_cert option,
> right ?
>
> At the moment I get:
>
> ERROR: failed to authenticate
> DETAIL: connection requires a valid client certificate
>
> psql works (-p 5432) through the implicit ~/.postgresql defaults.
>
> The goal is to have SCRAM-SHA256 with SSL client certificate
> authentication in the entire stack: client <-> pgpool <-> PostgreSQL.
>
Have somebody else tried this ?
LOG: find_primary_node: make_persistent_db_connection_noerror failed on
node 0
DEBUG: attempting to negotiate a secure connection
DETAIL: sending client->server SSL request
DEBUG: attempting to negotiate a secure connection
DETAIL: client->server SSL response: S
ERROR: failed to authenticate
DETAIL: connection requires a valid client certificate
I'm using self-signed certificates with no passphase. SSL lib is
openssl-1.1.0h.
This works
psql -h localhost -p 5432 --set="sslmode=require" -U myuser mydb
Password for user myuser:
psql (12devel)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384,
bits: 256, compression: off)
Type "help" for help.
mydb=> \q
Best regards,
Jesper
More information about the pgpool-hackers
mailing list