| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Add new clientcert hba option verify-full |
| Date: | 2019-03-09 20:22:42 |
| Message-ID: | E1h2iUU-0007fE-7W@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Add new clientcert hba option verify-full
This allows a login to require both that the cn of the certificate
matches (like authentication type cert) *and* that another
authentication method (such as password or kerberos) succeeds as well.
The old value of clientcert=1 maps to the new clientcert=verify-ca,
clientcert=0 maps to the new clientcert=no-verify, and the new option
erify-full will add the validation of the CN.
Author: Julian Markwort, Marius Timmer
Reviewed by: Magnus Hagander, Thomas Munro
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/0516c61b756e39ed6eb7a6bb54311a841002211a
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 25 ++++++++++++-------
doc/src/sgml/runtime.sgml | 54 ++++++++++++++++++++++++++++++++----------
src/backend/libpq/auth.c | 47 +++++++++++++++++++++++++++---------
src/backend/libpq/hba.c | 33 +++++++++++++++++++-------
src/include/libpq/hba.h | 9 ++++++-
src/test/ssl/t/001_ssltests.pl | 23 +++++++++++++++++-
src/test/ssl/t/SSLServer.pm | 10 +++++++-
7 files changed, 156 insertions(+), 45 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-03-09 23:42:56 | pgsql: Simplify release-note links to back branches. |
| Previous Message | Magnus Hagander | 2019-03-09 18:48:11 | pgsql: Track block level checksum failures in pg_stat_database |