Re: BUG #17354: pg_hba_file_rules always shows verify-ca when auth_method=cert

On Tue, Jan 4, 2022 at 4:14 PM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 17354
> Logged by: Feike Steenbergen
> Email address: feikesteenbergen(at)gmail(dot)com
> PostgreSQL version: 10.0
> Operating system: Ubuntu x86_64
> Description:
>
> When adding a line to my pg_hba.conf as follows:
>
> hostssl all all all cert clientcert=verify-full
>
> It baffled me that pg_hba_file_rules showed me the following entry:
>
> line_number | 106
> type | hostssl
> database | {all}
> user_name | {all}
> address | all
> netmask | (null)
> auth_method | cert
> options | {clientcert=verify-ca}
> error | (null)
>
> Which AFAIK, authentication method cert implies verify-full nowadays
> (PG14).
> I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
> code:
>
> src/backend/libpq/hba.c
>
> /*
> * Enforce any parameters implied by other settings.
> */
> if (parsedline->auth_method == uaCert)
> {
> parsedline->clientcert = clientCertCA;
> }
>
> Is the culprit as it seems to set clientcert=verify-ca unconditionally.
>
> As my C hacking skills are almost non-existent, I dared not write a patch
> myself for this one.

Thanks -- your analysis and identification is correct. I've pushed a
patch for this.

Apologies for the delay, I actually had a patch a long time ago, went
for an extra round to verify that this really was just a display issue
and not a security issue, and then promptly forgot to actually commit
it.

--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/