diff options
| author | Bruce Momjian <bruce@momjian.us> | 2020-10-05 15:48:40 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2020-10-05 15:48:50 -0400 |
| commit | 253f1025da8c8d6e52f96f764658b76eb59290ad (patch) | |
| tree | 38fc72168864087798f2a2ee1a1415a640569aad /doc/src | |
| parent | 18c170a08ee23d03a06d235ea628fecb057d974f (diff) | |
| download | postgresql-253f1025da8c8d6e52f96f764658b76eb59290ad.tar.gz postgresql-253f1025da8c8d6e52f96f764658b76eb59290ad.zip | |
Overhaul pg_hba.conf clientcert's API
Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.
Remove support for 'no-verify' since that is possible by just not
specifying clientcert.
Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.
Also improve the docs.
THIS IS A BACKWARD INCOMPATIBLE API CHANGE.
Reported-by: Kyotaro Horiguchi
Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com
Author: Kyotaro Horiguchi
Backpatch-through: master
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 11 | ||||
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 5 |
2 files changed, 6 insertions, 10 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index d62d1a061c9..bad3c3469c9 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"","" </para> <para> - In a <filename>pg_hba.conf</filename> record specifying certificate - authentication, the authentication option <literal>clientcert</literal> is - assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>, - and it cannot be turned off since a client certificate is necessary for this - method. What the <literal>cert</literal> method adds to the basic - <literal>clientcert</literal> certificate validity test is a check that the - <literal>cn</literal> attribute matches the database user name. + It is redundant to use the <literal>clientcert</literal> option with + <literal>cert</literal> authentication because <literal>cert</literal> + authentication is effectively <literal>trust</literal> authentication + with <literal>clientcert=verify-full</literal>. </para> </sect1> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 418aa3f85c7..17e938148c5 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 The <literal>clientcert</literal> authentication option is available for all authentication methods, but only in <filename>pg_hba.conf</filename> lines specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is - not specified or is set to <literal>no-verify</literal>, the server will still - verify any presented client certificates against its CA file, if one is - configured — but it will not insist that a client certificate be presented. + not specified, the server verifies the client certificate against its CA + file only if a client certificate is presented and the CA is configured. </para> <para> |