dalibo
connection requires a valid client certificate
Hi there,
I have pg_hba configured to reject all non ssl connections and only allow ssl. I'm attempting to setup my system to block connections that have no ssl or invalid ssl certificate but cannot seem to get a log message if no ssl certificate. I haven't tried with an invalid certificate yet was just trying the no ssl option first.
- If I have a valid SSL certificate but incorrect user-details, i get a log in pg_authfail
- If i have no SSL certificate, I get no log in pg_authfail
Note in the first instance the main log records FATAL: certificate authentication failed for user ...." In the second instance above, the main log records FATAL: connection requires a valid client certificate"
I've had a bit of a look at your code and auth.c in 9.4 and can't quite see why you're hook doesn't get the STATUS_ERROR message. in ClientAuthentication status is set to STATUS_ERROR by default, we get the error message 'connection requires a valid client certificate' and then the ClientAuthentication_hook should receive that message?
Hello,
Unfortunately, this is due to how postgresql handle this case, and there's nothing that can be done in pg_log_authfail :/
This message is raised in https://github.com/postgres/postgres/blob/master/src/backend/libpq/auth.c#L351
and a FATAL level in an ereport() results in exiting the backend, so the hook part of this function is never reached. I suppose it's done this way because without client certificate it doesn't make any sense to go any further and try to validate an unexisting certificate. The fact that this extension only needs the hook to log some information and doesn't do any other thing, or that a missing certificate case is probably a specific case that no one considered. You could try to ask on pgsql-hackers if this is something that could be changed.
