| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | "cert" + clientcert=verify-ca in pg_hba.conf? |
| Date: | 2020-07-16 00:30:12 |
| Message-ID: | 20200716.093012.1627751694396009053.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello.
The "Certificate Authentication" section in the doc for PG12 and later
describes the relation ship with clientcert as follows.
> In a pg_hba.conf record specifying certificate authentication, the
> authentication option clientcert is assumed to be verify-ca or
> verify-full, and it cannot be turned off since a client certificate
> is necessary for this method. What the cert method adds to the basic
> clientcert certificate validity test is a check that the cn
> attribute matches the database user name.
In reality, cert method is assumed as "vefiry-full" and does not add
anything to verify-full and cannot be degraded or turned off. It seems
to be a mistake on rewriting it when clientcert was changed to accept
verify-ca/full at PG12.
Related to that, pg_hba.conf accepts the combination of "cert" method
and the option clientcert="verify-ca" but it is ignored. We should
reject that combination the same way with "cert"+"no-verify".
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Fix-behavior-for-cert-verify-ca-in-pg_hba.conf.patch | text/x-patch | 2.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2020-07-16 01:25:32 | Re: Improving connection scalability: GetSnapshotData() |
| Previous Message | Tom Lane | 2020-07-16 00:14:36 | Re: sys_siglist[] is causing us trouble again |