|From:||Bruce Momjian <bruce(at)momjian(dot)us>|
|To:||Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>|
|Subject:||Re: "cert" + clientcert=verify-ca in pg_hba.conf?|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On Thu, Jul 16, 2020 at 09:30:12AM +0900, Kyotaro Horiguchi wrote:
> The "Certificate Authentication" section in the doc for PG12 and later
> describes the relation ship with clientcert as follows.
> > In a pg_hba.conf record specifying certificate authentication, the
> > authentication option clientcert is assumed to be verify-ca or
> > verify-full, and it cannot be turned off since a client certificate
> > is necessary for this method. What the cert method adds to the basic
> > clientcert certificate validity test is a check that the cn
> > attribute matches the database user name.
> In reality, cert method is assumed as "verify-full" and does not add
> anything to verify-full and cannot be degraded or turned off. It seems
> to be a mistake on rewriting it when clientcert was changed to accept
> verify-ca/full at PG12.
Agreed. I was able to test this patch and it does what you explained.
I have slightly adjusted the doc part of the patch, attached.
> Related to that, pg_hba.conf accepts the combination of "cert" method
> and the option clientcert="verify-ca" but it is ignored. We should
> reject that combination the same way with "cert"+"no-verify".
Are you saying we should _require_ clientcert=verify-full when 'cert'
authentication is used? I don't see the point of that --- I just
updated the docs to say doing so was duplicate behavior.
The usefulness of a cup is in its emptiness, Bruce Lee
|Next Message||Justin Pryzby||2020-08-25 00:06:25||Re: Row estimates for empty tables|
|Previous Message||Peter Smith||2020-08-24 23:19:02||Re: proposal - function string_to_table|