On Mon, Aug 31, 2020 at 05:56:58PM +0900, Kyotaro Horiguchi wrote:
> Hello, Bruce.
>
> At Thu, 27 Aug 2020 15:41:40 -0400, Bruce Momjian <bruce@momjian.us> wrote in
> > > My point here is just "are we OK to remove it?"
> >
> > Yes, in PG 14. Security is confusing enough, so having a mis-named
> > option that doesn't do anything more than just not specifying clientcert
> > is not useful and should be removed.
>
> Ok, this is that. If we spcify clientcert=no-verify other than for
> "cert" authentication, server complains as the following at startup.
Why does clientcert=no-verify have any value, even for a
cert-authentication line?
> > LOG: no-verify or 0 is the default setting that is discouraged to use explicitly for clientcert option
> > HINT: Consider removing the option instead. This option value is going to be deprecated in later version.
> > CONTEXT: line 90 of configuration file "/home/horiguti/data/data_noverify/pg_hba.conf"
I think it should just be removed in PG 14. This is a configuration
setting, not an SQL-level item that needs a deprecation period.
> And, cert clientcert=verifry-ca (and no-verify) is correctly rejected.
>
> > LOG: clientcert accepts only "verify-full" when using "cert" authentication
>
> I once I thought that the deprecation message should e WARNING but
> later I changed my mind to change it to LOG unifying to surrounding
> setting error messages.
>
> I'm going to register this to the coming CF.
I plan to apply this once we are done discussing it.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee