diff options
| author | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:52:41 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:58:59 +0100 |
| commit | 2dbb7b9b2279d064f66ce9008869fd0e2b794534 (patch) | |
| tree | 346485fd12357f52aa2fa06a09200ad938068358 | |
| parent | bd233bdd8dd95ea127a921998847724c44295736 (diff) | |
| download | postgresql-2dbb7b9b2279d064f66ce9008869fd0e2b794534.tar.gz postgresql-2dbb7b9b2279d064f66ce9008869fd0e2b794534.zip | |
Fix pg_hba_file_rules for authentication method cert
For authentication method cert, clientcert=verify-full is implied. But
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.
Per bug #17354
Reported-By: Feike Steenbergen
Reviewed-By: Jonathan Katz
Backpatch-through: 12
| -rw-r--r-- | src/backend/libpq/hba.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ff57ffa61c1..a7f3def184e 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) */ if (parsedline->auth_method == uaCert) { - parsedline->clientcert = clientCertCA; + /* + * For auth method cert, client certificate validation is mandatory, and it implies + * the level of verify-full. + */ + parsedline->clientcert = clientCertFull; } return parsedline; |