| From: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
|---|---|
| To: | "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | [PATCH] Documentation bug related to client authentication using TLS certificate |
| Date: | 2020-03-02 19:06:57 |
| Message-ID: | 1709ca4e52b.bc7cf1df92550.8273994887028801445@highgo.ca |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi
I found a document bug about client authentication using TLS certificate. When clientcert authentication is enabled in pg_hba.conf, libpq does not verify that the common name in certificate matches database username like it is described in the documentation before allowing client connection.
Instead, when sslmode is set to “verify-full”, libpq will verify if the server host name matches the common name in client certificate. When sslmode is set to “verify-ca”, libpq will verify that the client is trustworthy by checking the certificate trust chain up to the root certificate and it does not verify server hostname and certificate common name match in this case.
The attached patch corrects the clientcert authentication description in the documentation
cheers
Cary Huang
-------------
HighGo Software Inc. (Canada)
mailto:cary(dot)huang(at)highgo(dot)ca
| Attachment | Content-Type | Size |
|---|---|---|
| client_cert_auth.patch | application/octet-stream | 1.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-03-02 19:11:10 | Re: Allowing ALTER TYPE to change storage strategy |
| Previous Message | Alexey Kondratov | 2020-03-02 17:59:49 | Re: [Patch] pg_rewind: options to use restore_command from recovery.conf or command line |