Re: "cert" + clientcert=verify-ca in pg_hba.conf? - Mailing list pgsql-hackers
| From | Kyotaro Horiguchi |
|---|---|
| Subject | Re: "cert" + clientcert=verify-ca in pg_hba.conf? |
| Date | |
| Msg-id | 20201005.102508.1114563385970077497.horikyota.ntt@gmail.com Whole thread Raw |
| In response to | Re: "cert" + clientcert=verify-ca in pg_hba.conf? (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: "cert" + clientcert=verify-ca in pg_hba.conf?
|
| List | pgsql-hackers |
At Fri, 2 Oct 2020 22:55:45 -0400, Bruce Momjian <bruce@momjian.us> wrote in
> On Fri, Sep 25, 2020 at 09:33:48AM +0900, Kyotaro Horiguchi wrote:
> > At Thu, 24 Sep 2020 11:43:40 -0400, Bruce Momjian <bruce@momjian.us> wrote in
> > > On Thu, Sep 24, 2020 at 12:44:01PM +0900, Michael Paquier wrote:
> > > > On Tue, Sep 01, 2020 at 10:27:03PM -0400, Bruce Momjian wrote:
> > > > > OK, good. Let's wait a few days and I will then apply it for PG 14.
> > > >
> > > > It has been a few days, and nothing has happened here. I have not
> > > > looked at the patch in details, so I cannot say if that's fine or not,
> > > > but please note that the patch fails to apply per the CF bot.
> > >
> > > I will handle it.
> >
> > Thank you Bruce, Michael. This is a rebased version.
> >
> > regards.
> >
> > --
> > Kyotaro Horiguchi
> > NTT Open Source Software Center
>
> > >From 2978479ada887284eae0ed36c8acf29f1a002feb Mon Sep 17 00:00:00 2001
> > From: Kyotaro Horiguchi <horikyoga.ntt@gmail.com>
> > Date: Tue, 21 Jul 2020 23:01:27 +0900
> > Subject: [PATCH v2] Allow directory name for GUC ssl_crl_file and connection
> > option sslcrl
> >
> > X509_STORE_load_locations accepts a directory, which leads to
> > on-demand loading method with which method only relevant CRLs are
> > loaded.
>
> Uh, I think this CRL patch is the wrong patch. This thread is about the
> clientcert=verify-ca in pg_hba.conf. I will use the patch I developed
> and posted on Tue, 1 Sep 2020 11:47:34 -0400 in this thread.
Mmmm. Sorry for the silly mistake. I'm confused with another one.
FWIW, the cause is a rewording of "cannot" to "can not". This is the
right one.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index d62d1a061c..bad3c3469c 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
</para>
<para>
- In a <filename>pg_hba.conf</filename> record specifying certificate
- authentication, the authentication option <literal>clientcert</literal> is
- assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
- and it cannot be turned off since a client certificate is necessary for this
- method. What the <literal>cert</literal> method adds to the basic
- <literal>clientcert</literal> certificate validity test is a check that the
- <literal>cn</literal> attribute matches the database user name.
+ It is redundant to use the <literal>clientcert</literal> option with
+ <literal>cert</literal> authentication because <literal>cert</literal>
+ authentication is effectively <literal>trust</literal> authentication
+ with <literal>clientcert=verify-full</literal>.
</para>
</sect1>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 418aa3f85c..17e938148c 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
The <literal>clientcert</literal> authentication option is available for
all authentication methods, but only in <filename>pg_hba.conf</filename> lines
specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is
- not specified or is set to <literal>no-verify</literal>, the server will still
- verify any presented client certificates against its CA file, if one is
- configured — but it will not insist that a client certificate be presented.
+ not specified, the server verifies the client certificate against its CA
+ file only if a client certificate is presented and the CA is configured.
</para>
<para>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 7b54ffc31e..8de437422d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1730,29 +1730,24 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
*err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
- if (strcmp(val, "1") == 0
- || strcmp(val, "verify-ca") == 0)
- {
- hbaline->clientcert = clientCertCA;
- }
- else if (strcmp(val, "verify-full") == 0)
+
+ if (strcmp(val, "verify-full") == 0)
{
hbaline->clientcert = clientCertFull;
}
- else if (strcmp(val, "0") == 0
- || strcmp(val, "no-verify") == 0)
+ else if (strcmp(val, "verify-ca") == 0)
{
if (hbaline->auth_method == uaCert)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),
+ errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
- *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";
+ *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
return false;
}
- hbaline->clientcert = clientCertOff;
+ hbaline->clientcert = clientCertCA;
}
else
{
pgsql-hackers by date: