At Mon, 24 Aug 2020 23:04:51 -0400, Bruce Momjian <br...@momjian.us> wrote in > > > I don't see "no-verify" mentioned anywhere in our docs. > > > > no-verify itself is mentioned here. > > > > https://www.postgresql.org/docs/13/ssl-tcp.html#SSL-CLIENT-CERTIFICATES > > Oh, I see it now, thanks. Do you have any idea what this part of the > docs means? > > When <literal>clientcert</literal> is not specified or is set to > <literal>no-verify</literal>, the server will still verify any presented > client certificates against its CA file, if one is configured — > but it will not insist that a client certificate be presented.
Ah.. Indeed. Even if clientcert is not set or set to no-verify, it checks client certificate against the CA if any. If verify-ca, client certificate must be provided. As the result, no-verify actually fails if client had a certificate that is not backed by the CA. > Why is this useful? I agree, but there seems to be an implementation reason for the behavior. To identify an hba-line, some connection parameters like user name and others sent over a connection is required. Thus the clientcert option in the to-be-identified hba-line is unknown prior to the time SSL connection is made. So the documentation might need amendment. Roughly something like the following? === When <literal>clientcert</literal> is not specified or is set to<literal>no-verify</literal>, clients can connect to server without having a client certificate. Note: Regardless of the setting of <literal>clientcert</literal>, connection can end with failure if a client certificate that cannot be verified by the server is stored in the ~/.postgresql directory. === By the way, the following table line might need to be changed? libpq-ssl.html: > <entry><filename>~/.postgresql/postgresql.crt</filename></entry> > <entry>client certificate</entry> - <entry>requested by server</entry> The file is actually not requested by server, client just pushes to server if any, unconditionally. + <entry>sent to server</entry> regards. -- Kyotaro Horiguchi NTT Open Source Software Center
