diff options
| author | Bruce Momjian <bruce@momjian.us> | 2020-10-05 15:48:40 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2020-10-05 15:48:50 -0400 |
| commit | 253f1025da8c8d6e52f96f764658b76eb59290ad (patch) | |
| tree | 38fc72168864087798f2a2ee1a1415a640569aad /src | |
| parent | 18c170a08ee23d03a06d235ea628fecb057d974f (diff) | |
| download | postgresql-253f1025da8c8d6e52f96f764658b76eb59290ad.tar.gz postgresql-253f1025da8c8d6e52f96f764658b76eb59290ad.zip | |
Overhaul pg_hba.conf clientcert's API
Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.
Remove support for 'no-verify' since that is possible by just not
specifying clientcert.
Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.
Also improve the docs.
THIS IS A BACKWARD INCOMPATIBLE API CHANGE.
Reported-by: Kyotaro Horiguchi
Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com
Author: Kyotaro Horiguchi
Backpatch-through: master
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/hba.c | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 7b54ffc31ea..4c86fb60874 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, *err_msg = "clientcert can only be configured for \"hostssl\" rows"; return false; } - if (strcmp(val, "1") == 0 - || strcmp(val, "verify-ca") == 0) - { - hbaline->clientcert = clientCertCA; - } - else if (strcmp(val, "verify-full") == 0) + + if (strcmp(val, "verify-full") == 0) { hbaline->clientcert = clientCertFull; } - else if (strcmp(val, "0") == 0 - || strcmp(val, "no-verify") == 0) + else if (strcmp(val, "verify-ca") == 0) { if (hbaline->auth_method == uaCert) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"), + errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); - *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"; + *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication"; return false; } - hbaline->clientcert = clientCertOff; + + hbaline->clientcert = clientCertCA; } else { |