Skip to content

Add OpenSSL verification modes and certificate handlers reference (DOC-134)#5816

Open
dhtclk wants to merge 2 commits intomainfrom
doc-134-certificate-verification
Open

Add OpenSSL verification modes and certificate handlers reference (DOC-134)#5816
dhtclk wants to merge 2 commits intomainfrom
doc-134-certificate-verification

Conversation

@dhtclk
Copy link
Copy Markdown
Collaborator

@dhtclk dhtclk commented Mar 23, 2026
edited
Loading

Summary

EXPERIMENTAL

  • Adds a reference section to the TLS configuration guide documenting all verificationMode options and invalidCertificateHandler names
  • Includes complete XML examples for disabling certificate verification across clickhouse-client, clickhouse-server, and Keeper
  • Mentions the --accept-invalid-certificate CLI shortcut

Verification

Only Verified with CLAUDE:
All technical claims verified against ClickHouse source code:

Claim Source Confidence
4 verification modes (none, relaxed, once, strict) base/poco/NetSSL_OpenSSL/src/Utility.cpp High
once behaves as relaxed on client side Poco::Net::Context upstream docs High
Only Accept and Reject handlers exist ClickHouse Poco fork (ConsoleCertificateHandler removed) High
Handler works in both <server> and <client> base/poco/NetSSL_OpenSSL/src/SSLManager.cpp High
--accept-invalid-certificate flag programs/client/Client.cpp High
No ClickHouse-level restrictions on Poco Searched src/ for additional validation — none found Medium

Closes DOC-134

🤖 Generated with Claude Code

@dhtclk @claude
Add OpenSSL verification modes and certificate handlers reference (DO…
717f3b6 
…C-134)

Document all verificationMode options, invalidCertificateHandler names,
and complete examples for disabling certificate verification across
clickhouse-client, clickhouse-server, and Keeper. Verified against
ClickHouse's Poco fork source code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dhtclk dhtclk requested a review from a team as a code owner March 23, 2026 16:36
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clickhouse-docs Ready Ready Preview, Comment Mar 23, 2026 5:11pm
clickhouse-docs-jp Building Building Preview, Comment Mar 23, 2026 5:11pm
3 Skipped Deployments
Project Deployment Actions Updated (UTC)
clickhouse-docs-ko Ignored Ignored Preview Mar 23, 2026 5:11pm
clickhouse-docs-ru Ignored Ignored Preview Mar 23, 2026 5:11pm
clickhouse-docs-zh Ignored Ignored Preview Mar 23, 2026 5:11pm

Request Review

@dhtclk dhtclk marked this pull request as draft March 23, 2026 16:43
@dhtclk @claude
Fix table formatting in verification modes section
1a9dd2f 
Remove em dashes and bold formatting from markdown table cells
that caused rendering issues in GitHub diff views.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dhtclk dhtclk marked this pull request as ready for review March 23, 2026 20:01
@Blargian
Copy link
Copy Markdown
Member

Blargian commented Mar 24, 2026

@dhtclk I find asking the LLM for verification is often unreliable. Did you cross check using a different LLM to verify?

@dhtclk
Copy link
Copy Markdown
Collaborator Author

dhtclk commented Mar 24, 2026

@Blargian - I did not do that in this case, I'll follow up with manual validation and validating with a different LLM.

@Blargian
Copy link
Copy Markdown
Member

Blargian commented May 7, 2026

@dhtclk This one has been open for some time. Could you check the claims using Copilot CLI and/or test the claims so we can merge

@dhtclk
Copy link
Copy Markdown
Collaborator Author

dhtclk commented May 7, 2026
edited
Loading

@Blargian — second-LLM re-verification against ClickHouse source and a Docker runtime via copilotCLI. It looks good to go from my perspective.

Claim Status Citation
4 verification modes (none,relaxed,once,strict) VERIFIED base/poco/NetSSL_OpenSSL/src/Utility.cpp:25-41; include/Poco/Net/Context.h:60-95
once semantics (server: initial-only; client: same as relaxed) VERIFIED include/Poco/Net/Context.h:89-95
Only Accept/Reject handlers present in vendored Poco VERIFIED base/poco/NetSSL_OpenSSL/src/CertificateHandlerFactoryMgr.cpp:24-28 (no ConsoleCertificateHandler found)
Handlers apply on server & client sides VERIFIED include/Poco/Net/InvalidCertificateHandler.h:59-63; AcceptCertificateHandler.cpp
--accept-invalid-certificate sets AcceptCertificateHandler + verificationMode=none VERIFIED (source + runtime) programs/client/Client.cpp:292-296,828-831; Docker runtime test
Examples for clickhouse-client/server/Keeper are consistent VERIFIED (source + runtime) programs/server/config.xml; programs/keeper-client/KeeperClient.cpp:639-647; Docker runtime test
ClickHouse-level restrictions on these Poco options PARTIAL No restricting code found in repo search (base/poco, programs/*); runtime Docker test succeeded — cannot prove a global negative exhaustively

Potential gap

  • Minor Poco message mismatch: Utility.cpp throws an InvalidArgumentException message that omits "none" even though code accepts it (Utility.cpp:36-39).

Runtime repro (what was run)

  • Started clickhouse/clickhouse-server in Docker with mounted config + certs + users.xml, then:
    clickhouse-client --secure --user default --password pass --host localhost --port 9440 --accept-invalid-certificate -q "SELECT 1" → returned 1

Artifacts & timestamp

  • Source checks and Docker test performed 2026-05-07. Logs/artifacts: /tmp/ch_docker_test.9tko

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dhtclk dhtclk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhtclk @Blargian