Home > mailing lists

[PATCH] Documentation bug related to client authentication usingTLS certificate - Mailing list pgsql-hackers

From	Cary Huang
Subject	[PATCH] Documentation bug related to client authentication usingTLS certificate
Date	March 2, 2020 22:06:57
Msg-id	1709ca4e52b.bc7cf1df92550.8273994887028801445@highgo.ca Whole thread Raw
Responses	Re: [PATCH] Documentation bug related to client authentication usingTLS certificate (Chris Bandy <bandy.chris@gmail.com>)
List	pgsql-hackers

Tree view

I found a document bug about client authentication using TLS certificate. When clientcert authentication is enabled in pg_hba.conf, libpq does not verify that the common name in certificate matches database username like it is described in the documentation before allowing client connection.

Instead, when sslmode is set to “verify-full”, libpq will verify if the server host name matches the common name in client certificate. When sslmode is set to “verify-ca”, libpq will verify that the client is trustworthy by checking the certificate trust chain up to the root certificate and it does not verify server hostname and certificate common name match in this case.

The attached patch corrects the clientcert authentication description in the documentation

cheers

Cary Huang

-------------

HighGo Software Inc. (Canada)

cary.huang@highgo.ca

www.highgo.ca

Attachment

client_cert_auth.patch

pgsql-hackers by date:

From: Alexey Kondratov
Date: 02 March 2020, 20:59:49
Subject: Re: [Patch] pg_rewind: options to use restore_command fromrecovery.conf or command line

From: Tom Lane
Date: 02 March 2020, 22:11:10
Subject: Re: Allowing ALTER TYPE to change storage strategy

[PATCH] Documentation bug related to client authentication usingTLS certificate - Mailing list pgsql-hackers

Attachment

Previous

Next