Postgres Pro
Downloads
Home   >   mailing lists

Re: "cert" + clientcert=verify-ca in pg_hba.conf? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: "cert" + clientcert=verify-ca in pg_hba.conf?
Date
Msg-id 20200825014940.GA32540@momjian.us
Whole thread Raw
In response to Re: "cert" + clientcert=verify-ca in pg_hba.conf?  (Kyotaro Horiguchi <horikyota.ntt@gmail.com>)
Responses Re: "cert" + clientcert=verify-ca in pg_hba.conf?
List pgsql-hackers
Tree view 
On Tue, Aug 25, 2020 at 10:41:26AM +0900, Kyotaro Horiguchi wrote:
> At Mon, 24 Aug 2020 20:01:26 -0400, Bruce Momjian <bruce@momjian.us> wrote in 
> > I have slightly adjusted the doc part of the patch, attached.
> 
> Thanks.
> 
>      In a <filename>pg_hba.conf</filename> record specifying certificate
> -    authentication, the authentication option <literal>clientcert</literal> is
> -    assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
> -    and it cannot be turned off since a client certificate is necessary for this
> -    method. What the <literal>cert</literal> method adds to the basic
> -    <literal>clientcert</literal> certificate validity test is a check that the
> -    <literal>cn</literal> attribute matches the database user name.
> +    authentication, the only valid value for <literal>clientcert</literal>
> +    is <literal>verify-full</literal>, and this has no affect since it
> +    just duplicates <literal>client</literal> authentication's behavior.
> 
> I read it as "it can be specified (without an error), but actually
> does nothing". If it is the correct reading, I prefer to mention that
> incompatible values cause an error.

Well, when I say "the only valid value", that means any other value is
invalid, and hence will generate an error.

> > > Related to that, pg_hba.conf accepts the combination of "cert" method
> > > and the option clientcert="verify-ca" but it is ignored. We should
> > > reject that combination the same way with "cert"+"no-verify".
> > 
> > Are you saying we should _require_ clientcert=verify-full when 'cert'
> > authentication is used?  I don't see the point of that --- I just
> > updated the docs to say doing so was duplicate behavior.
> 
> I don't suggest changing the current behavior. I'm saying it is the
> way it is working and we should correctly error-out that since it
> doesn't work as specified.

Uh, I don't understand what 'combination the same way with
"cert"+"no-verify"'.  Right now, cert with no clientcert/verify line
works just fine.  Is "no-verify" something special?  Are you saying it
is any random string that would generate an error?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee

pgsql-hackers by date:

Previous
From: Kyotaro Horiguchi
Date:
Subject: Re: "cert" + clientcert=verify-ca in pg_hba.conf?
Next
From: Kyotaro Horiguchi
Date:
Subject: Re: "cert" + clientcert=verify-ca in pg_hba.conf?