Hi, Cary.
On 3/2/20 1:06 PM, Cary Huang wrote:
Hi
I found a document bug about client authentication using TLS
certificate. When clientcert authentication is enabled in pg_hba.conf,
libpq does not verify that the *common name*in certificate
matches*database username*like it is described in the documentation
before allowing client connection.
Instead, when sslmode is set to “verify-full”, libpq will verify if the
*server host name*matches the *common name *in client certificate.
This sounds incorrect. My understanding is that the *server* host name
is always matched with the *server* common name.
When
sslmode is set to “verify-ca”, libpq will verify that the client is
trustworthy by checking the certificate trust chain up to the root
certificate and it does not verify *server hostname*and
certificate*common name *match in this case.
Similarly, libpq will verify the *server* is trustworthy by checking the
*server* certificate up to the root. It does not verify that the host
name matches the common name in the *server* certificate.
In all cases, libpq is responsible for verifying the *server* is who it
claims to be.
-- Chris
