So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So "clientcert" is an auth-method option of "cert"? That isn't exactly clear in the hba_conf documentation - https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT . That part of the document doesn't mention what you just said.
On Fri, Jul 15, 2016 at 6:33 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Srikanth Venkatesh <srix55@gmail.com> writes: > I guess it should mention that setting the parameter to 1 is no longer > required... and that the default is 1 for "cert".
In what way is it no longer required? Without that flag set, there's no insistence on a validated client cert.