Hello Magnus, > I think this makes a lot of sense, and can definitely be a useful > option.
I was hesistant to write a long and elaborate patch as I wasn't certain if there was any interest for such an addition, but I'm thankful for your input. > However, the patch is completely lacking documentation, which > obviously make it a no-starter. I'll write the missing documentation shortly. > Also if I read it right, if the CN is not correct, it will give the > error message "certificate authentication failed for user ...". I > realize this comes from the re-use of the code, but I don't think > this makes it very useful. We need to separate these two things. The error message "certificate authentication failed for user XYZ: client certificate contains no user name" is the result of calling CheckCertAuth when the user presented a certificate without a CN in it. The error message that is presented to the user upon trying to connect with a certificate containing a CN other than the username is: --------------------- psql: FATAL: password authentication failed for user "nottestuser" --------------------- The server's log contains the lines: --------------------- 2018-03-09 13:06:43.111 CET [3310] LOG: provided user name (nottestuser) and authenticated user name (testuser) do not match 2018-03-09 13:06:43.111 CET [3310] FATAL: password authentication failed for user "nottestuser" 2018-03-09 13:06:43.111 CET [3310] DETAIL: Connection matched pg_hba.conf line 97: "hostssl all nottestuser 127.0.0.1/32 password clientcert=verify-full" --------------------- I'd argue that the message in the log file is consistent and useful, however the message given by psql (or any libpq application for that matter) leaves uncertainty regarding the correctness of a provided password, for example. I could attach the log message of CheckCertAuth to the logdetail, however then I'd have issues if there is already something written to the logdetail. I could also use an additional ereport() call whenever clientcert was set to verify-full and the user name didn't match the CN. Kind regards Julian
smime.p7s
Description: S/MIME cryptographic signature