| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | feikesteenbergen(at)gmail(dot)com |
| Subject: | BUG #17354: pg_hba_file_rules always shows verify-ca when auth_method=cert |
| Date: | 2022-01-04 14:57:59 |
| Message-ID: | 17354-c15e70c226b05f59@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17354
Logged by: Feike Steenbergen
Email address: feikesteenbergen(at)gmail(dot)com
PostgreSQL version: 10.0
Operating system: Ubuntu x86_64
Description:
When adding a line to my pg_hba.conf as follows:
hostssl all all all cert clientcert=verify-full
It baffled me that pg_hba_file_rules showed me the following entry:
line_number | 106
type | hostssl
database | {all}
user_name | {all}
address | all
netmask | (null)
auth_method | cert
options | {clientcert=verify-ca}
error | (null)
Which AFAIK, authentication method cert implies verify-full nowadays
(PG14).
I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
code:
src/backend/libpq/hba.c
/*
* Enforce any parameters implied by other settings.
*/
if (parsedline->auth_method == uaCert)
{
parsedline->clientcert = clientCertCA;
}
Is the culprit as it seems to set clientcert=verify-ca unconditionally.
As my C hacking skills are almost non-existent, I dared not write a patch
myself for this one.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bic.Nguyen@gd-ms.com | 2022-01-05 16:48:24 | Typo in MS Root Cert Expiration Date |
| Previous Message | Etsuro Fujita | 2022-01-04 08:03:57 | Re: BUG #17344: Assert failed on queiring async_capable foreign table with inheritance |