Re: "cert" + clientcert=verify-ca in pg_hba.conf?

On Wed, Aug 26, 2020 at 06:13:23PM +0900, Kyotaro Horiguchi wrote:
> At Tue, 25 Aug 2020 22:52:44 -0400, Bruce Momjian <bruce(at)momjian(dot)us> wrote in
> > > Because we think we need any named value for every alternatives
> > > including the default value?
> >
> > Well, not putting clientcert at all gives the default behavior, so why
> > have clientcert=no-verify?
>
> clientcert=verify-ca or verify-full don't allow absence of client
> certificate. We need an option to allow the absence.

Isn't the option not specifying clientcert? Here are some valid
pg_hba.conf lines:

hostssl all all 127.0.0.1/32 trust clientcert=verify-full
hostssl all all 127.0.0.1/32 trust clientcert=verify-ca
hostssl all all 127.0.0.1/32 trust clientcert=no-verify
hostssl all all 127.0.0.1/32 trust

It is my understanding that the last two lines are the same. Why isn't
it sufficient to just tell users not to specify clientcert if they want
the default behavior? You can do:

host all all 192.168.0.0/16 ident map=omicron

but there is no way to specify the default map value of 'no map', so why
have one for clientcert?

> > Well, sslmode=prefer gives encryption without identification.
> > clientcert=no-verify has no value because it is just an optional CA
> > check that has no value because optional authentication is useless. It
>
> The point of the option is not to do optional CA check if possible,
> but to allow absence of client cert. We need to have that mode
> regardless of named or not named, and I believe we usually provide a
> name for default mode.

Uh, see above --- not really. The absense of the option is the default
action.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee