| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | bruce(at)momjian(dot)us |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: "cert" + clientcert=verify-ca in pg_hba.conf? |
| Date: | 2020-08-25 06:53:20 |
| Message-ID: | 20200825.155320.986648039251743210.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At Mon, 24 Aug 2020 23:04:51 -0400, Bruce Momjian <bruce(at)momjian(dot)us> wrote in
> > > I don't see "no-verify" mentioned anywhere in our docs.
> >
> > no-verify itself is mentioned here.
> >
> > https://www.postgresql.org/docs/13/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
>
> Oh, I see it now, thanks. Do you have any idea what this part of the
> docs means?
>
> When <literal>clientcert</literal> is not specified or is set to
> <literal>no-verify</literal>, the server will still verify any presented
> client certificates against its CA file, if one is configured —
> but it will not insist that a client certificate be presented.
Ah.. Indeed.
Even if clientcert is not set or set to no-verify, it checks client
certificate against the CA if any. If verify-ca, client certificate
must be provided. As the result, no-verify actually fails if client
had a certificate that is not backed by the CA.
> Why is this useful?
I agree, but there seems to be an implementation reason for the
behavior. To identify an hba-line, some connection parameters like
user name and others sent over a connection is required. Thus the
clientcert option in the to-be-identified hba-line is unknown prior to
the time SSL connection is made. So the documentation might need
amendment. Roughly something like the following?
===
When <literal>clientcert</literal> is not specified or is set
to<literal>no-verify</literal>, clients can connect to server without
having a client certificate.
Note: Regardless of the setting of <literal>clientcert</literal>,
connection can end with failure if a client certificate that cannot be
verified by the server is stored in the ~/.postgresql directory.
===
By the way, the following table line might need to be changed?
libpq-ssl.html:
> <entry><filename>~/.postgresql/postgresql.crt</filename></entry>
> <entry>client certificate</entry>
- <entry>requested by server</entry>
The file is actually not requested by server, client just pushes to
server if any, unconditionally.
+ <entry>sent to server</entry>
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2020-08-25 06:57:27 | Re: proposal - function string_to_table |
| Previous Message | Peter Eisentraut | 2020-08-25 05:47:17 | some unused parameters cleanup |