Hi all,
please explain this to me... To simplify my question... I have configured Cloud SQL Postgresql instance in the following way:
- I have whitelisted my IP (in the authorization tab)
- I have created ssl client certificate 'foo' (in the ssl tab) and downloaded foo-client-cert.pem and foo-client-cert.pem
- I have created ssl client certificate 'bar' (in the ssl tab) and downloaded bar-client-cert.pem and bar-client-cert.pem and then I deleted this client certificate (in the ssl tab)
- I have also downloaded server-ca.pem
Now,
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem sslcert=keys/foo-client-cert.pem sslkey=keys/foo-client-key.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
works as expected -- ssl connection established
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem sslcert=keys/bar-client-cert.pem sslkey=keys/bar-client-key.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
works as expected -- not connecting, giving the following
psql: SSL error: tlsv1 alert unknown ca
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
without supplying sslcert nor sslkey also establishes the ssl connection
This would be consistent with the documentation on https://cloud.google.com/sql/docs/postgres/connect-admin-ip stating that "The sslcert and sslkey parameters are optional.", but at this moment I don't understand why this works. I.e. you cannot use the deleted 'bar' public/private key pair, however you can connect using (indirectly) some default, system configuration specific, postgres public/private key pair. Am I missing something?
Best regards,
s
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/eba5d0f0-8e50-48f2-a140-d0252bc8a6c9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment