[PATCH] Documentation bug related to client authentication usingTLS certificate - Mailing list pgsql-hackers

From Cary Huang
Subject [PATCH] Documentation bug related to client authentication usingTLS certificate
Date
Msg-id 1709ca4e52b.bc7cf1df92550.8273994887028801445@highgo.ca
Whole thread Raw
Responses Re: [PATCH] Documentation bug related to client authentication usingTLS certificate
List pgsql-hackers
Hi

I found a document bug about client authentication using TLS certificate. When clientcert authentication is enabled in pg_hba.conf, libpq does not verify that the common name in certificate matches database username like it is described in the documentation before allowing client connection.

Instead, when sslmode is set to “verify-full”, libpq will verify if the server host name matches the common name in client certificate. When sslmode is set to “verify-ca”, libpq will verify that the client is trustworthy by checking the certificate trust chain up to the root certificate and it does not verify server hostname and certificate common name match in this case.


The attached patch corrects the clientcert authentication description in the documentation

cheers






Cary Huang
-------------
HighGo Software Inc. (Canada)

Attachment

pgsql-hackers by date:

Previous
From: Alexey Kondratov
Date:
Subject: Re: [Patch] pg_rewind: options to use restore_command fromrecovery.conf or command line
Next
From: Tom Lane
Date:
Subject: Re: Allowing ALTER TYPE to change storage strategy