Thread: hba_conf hostssl clientcert=1 no longer required in 9.4
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html Description: 17.9.1. Using Client Certificates (https://www.postgresql.org/docs/9.4/static/ssl-tcp.html) The first paragraph contains this line "...and set the clientcert parameter to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right for 9.4.
srix55@gmail.com writes: > The following documentation comment has been logged on the website: > Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html > Description: > 17.9.1. Using Client Certificates > (https://www.postgresql.org/docs/9.4/static/ssl-tcp.html) > The first paragraph contains this line "...and set the clientcert parameter > to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right > for 9.4. Hmm, what do you think isn't right about it? ISTM there's an omission here, which is that it'd be useful to mention that clientcert=1 is assumed for the "cert" authentication method. But the text seems okay as far as it goes. regards, tom lane
Srikanth Venkatesh <srix55@gmail.com> writes:
> I guess it should mention that setting the parameter to 1 is no longer
> required... and that the default is 1 for "cert".
In what way is it no longer required? Without that flag set, there's
no insistence on a validated client cert.
regards, tom lane
Srikanth Venkatesh <srix55@gmail.com> writes: > So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So > "clientcert" is an auth-method option of "cert"? That isn't exactly clear > in the hba_conf documentation - > https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT . > That part of the document doesn't mention what you just said. That's exactly not what I said. I've tried to clarify this at https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=745513c70282180afd83c666e43bdb0b6fb8c688 regards, tom lane
I guess it should mention that setting the parameter to 1 is no longer required... and that the default is 1 for "cert".
On Thu, Jul 14, 2016 at 11:00 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
srix55@gmail.com writes:
> The following documentation comment has been logged on the website:
> Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
> Description:
> 17.9.1. Using Client Certificates
> (https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)
> The first paragraph contains this line "...and set the clientcert parameter
> to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right
> for 9.4.
Hmm, what do you think isn't right about it?
ISTM there's an omission here, which is that it'd be useful to mention
that clientcert=1 is assumed for the "cert" authentication method. But
the text seems okay as far as it goes.
regards, tom lane
So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So "clientcert" is an auth-method option of "cert"? That isn't exactly clear in the hba_conf documentation - https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT . That part of the document doesn't mention what you just said.
On Fri, Jul 15, 2016 at 6:33 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Srikanth Venkatesh <srix55@gmail.com> writes:
> I guess it should mention that setting the parameter to 1 is no longer
> required... and that the default is 1 for "cert".
In what way is it no longer required? Without that flag set, there's
no insistence on a validated client cert.
regards, tom lane