Overhaul pg_hba.conf clientcert's API
Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.
Remove support for 'no-verify' since that is possible by just not
specifying clientcert.
Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.
Also improve the docs.
THIS IS A BACKWARD INCOMPATIBLE API CHANGE.
Reported-by: Kyotaro Horiguchi
Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com
Author: Kyotaro Horiguchi
Backpatch-through: master
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/253f1025da8c8d6e52f96f764658b76eb59290ad
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 11 ++++-------
doc/src/sgml/runtime.sgml | 5 ++---
src/backend/libpq/hba.c | 18 +++++++-----------
3 files changed, 13 insertions(+), 21 deletions(-)