From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | feikesteenbergen(at)gmail(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #17354: pg_hba_file_rules always shows verify-ca when auth_method=cert |
Date: | 2022-01-26 09:03:49 |
Message-ID: | CABUevEz9C610Jdr+R9HzWcFVbOr7kJt6Jc+RHGBJJ6VX8GYLeQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tue, Jan 4, 2022 at 4:14 PM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 17354
> Logged by: Feike Steenbergen
> Email address: feikesteenbergen(at)gmail(dot)com
> PostgreSQL version: 10.0
> Operating system: Ubuntu x86_64
> Description:
>
> When adding a line to my pg_hba.conf as follows:
>
> hostssl all all all cert clientcert=verify-full
>
> It baffled me that pg_hba_file_rules showed me the following entry:
>
> line_number | 106
> type | hostssl
> database | {all}
> user_name | {all}
> address | all
> netmask | (null)
> auth_method | cert
> options | {clientcert=verify-ca}
> error | (null)
>
> Which AFAIK, authentication method cert implies verify-full nowadays
> (PG14).
> I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
> code:
>
> src/backend/libpq/hba.c
>
> /*
> * Enforce any parameters implied by other settings.
> */
> if (parsedline->auth_method == uaCert)
> {
> parsedline->clientcert = clientCertCA;
> }
>
> Is the culprit as it seems to set clientcert=verify-ca unconditionally.
>
> As my C hacking skills are almost non-existent, I dared not write a patch
> myself for this one.
Thanks -- your analysis and identification is correct. I've pushed a
patch for this.
Apologies for the delay, I actually had a patch a long time ago, went
for an extra round to verify that this really was just a display issue
and not a security issue, and then promptly forgot to actually commit
it.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2022-01-26 15:29:45 | Re: BUG #17382: When vacuum full or vacuumdb - F is executed, a large number of empty files will be generated in the |
Previous Message | 两个孩子的爹 | 2022-01-26 08:29:10 | 回复:BUG #17382: When vacuum full or vacuumdb - F is executed, a large number of empty files will be generated in the |