On Tue, Aug 25, 2020 at 10:41:26AM +0900, Kyotaro Horiguchi wrote: > At Mon, 24 Aug 2020 20:01:26 -0400, Bruce Momjian <br...@momjian.us> wrote in > > I have slightly adjusted the doc part of the patch, attached. > > Thanks. > > In a <filename>pg_hba.conf</filename> record specifying certificate > - authentication, the authentication option <literal>clientcert</literal> > is > - assumed to be <literal>verify-ca</literal> or > <literal>verify-full</literal>, > - and it cannot be turned off since a client certificate is necessary for > this > - method. What the <literal>cert</literal> method adds to the basic > - <literal>clientcert</literal> certificate validity test is a check that > the > - <literal>cn</literal> attribute matches the database user name. > + authentication, the only valid value for <literal>clientcert</literal> > + is <literal>verify-full</literal>, and this has no affect since it > + just duplicates <literal>client</literal> authentication's behavior. > > I read it as "it can be specified (without an error), but actually > does nothing". If it is the correct reading, I prefer to mention that > incompatible values cause an error.
Well, when I say "the only valid value", that means any other value is invalid, and hence will generate an error. > > > Related to that, pg_hba.conf accepts the combination of "cert" method > > > and the option clientcert="verify-ca" but it is ignored. We should > > > reject that combination the same way with "cert"+"no-verify". > > > > Are you saying we should _require_ clientcert=verify-full when 'cert' > > authentication is used? I don't see the point of that --- I just > > updated the docs to say doing so was duplicate behavior. > > I don't suggest changing the current behavior. I'm saying it is the > way it is working and we should correctly error-out that since it > doesn't work as specified. Uh, I don't understand what 'combination the same way with "cert"+"no-verify"'. Right now, cert with no clientcert/verify line works just fine. Is "no-verify" something special? Are you saying it is any random string that would generate an error? -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
