diff options
| author | Magnus Hagander <magnus@hagander.net> | 2019-03-09 12:09:10 -0800 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2019-03-09 12:19:47 -0800 |
| commit | 0516c61b756e39ed6eb7a6bb54311a841002211a (patch) | |
| tree | 7dc8f6760d2e0d1f19f1cbd5bde7cf09e0528ec0 /src/test/ssl/t/SSLServer.pm | |
| parent | 6b9e875f7286d8535bff7955e5aa3602e188e436 (diff) | |
| download | postgresql-0516c61b756e39ed6eb7a6bb54311a841002211a.tar.gz postgresql-0516c61b756e39ed6eb7a6bb54311a841002211a.zip | |
Add new clientcert hba option verify-full
This allows a login to require both that the cn of the certificate
matches (like authentication type cert) *and* that another
authentication method (such as password or kerberos) succeeds as well.
The old value of clientcert=1 maps to the new clientcert=verify-ca,
clientcert=0 maps to the new clientcert=no-verify, and the new option
erify-full will add the validation of the CN.
Author: Julian Markwort, Marius Timmer
Reviewed by: Magnus Hagander, Thomas Munro
Diffstat (limited to 'src/test/ssl/t/SSLServer.pm')
| -rw-r--r-- | src/test/ssl/t/SSLServer.pm | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm index b1b5b7f0b34..d25c38dbbc7 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSLServer.pm @@ -103,8 +103,10 @@ sub configure_test_server_for_ssl # Create test users and databases $node->psql('postgres', "CREATE USER ssltestuser"); $node->psql('postgres', "CREATE USER anotheruser"); + $node->psql('postgres', "CREATE USER yetanotheruser"); $node->psql('postgres', "CREATE DATABASE trustdb"); $node->psql('postgres', "CREATE DATABASE certdb"); + $node->psql('postgres', "CREATE DATABASE verifydb"); # Update password of each user as needed. if (defined($password)) @@ -183,12 +185,18 @@ sub configure_hba_for_ssl # When connecting to certdb, also check the client certificate. open my $hba, '>', "$pgdata/pg_hba.conf"; print $hba - "# TYPE DATABASE USER ADDRESS METHOD\n"; + "# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n"; print $hba "hostssl trustdb all $serverhost/32 $authmethod\n"; print $hba "hostssl trustdb all ::1/128 $authmethod\n"; print $hba + "hostssl verifydb ssltestuser $serverhost/32 $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb anotheruser $serverhost/32 $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb yetanotheruser $serverhost/32 $authmethod clientcert=verify-ca\n"; + print $hba "hostssl certdb all $serverhost/32 cert\n"; print $hba "hostssl certdb all ::1/128 cert\n"; |