On Wed, Aug 26, 2020 at 06:13:23PM +0900, Kyotaro Horiguchi wrote: > At Tue, 25 Aug 2020 22:52:44 -0400, Bruce Momjian <br...@momjian.us> wrote in > > > Because we think we need any named value for every alternatives > > > including the default value? > > > > Well, not putting clientcert at all gives the default behavior, so why > > have clientcert=no-verify? > > clientcert=verify-ca or verify-full don't allow absence of client > certificate. We need an option to allow the absence.
Isn't the option not specifying clientcert? Here are some valid pg_hba.conf lines: hostssl all all 127.0.0.1/32 trust clientcert=verify-full hostssl all all 127.0.0.1/32 trust clientcert=verify-ca hostssl all all 127.0.0.1/32 trust clientcert=no-verify hostssl all all 127.0.0.1/32 trust It is my understanding that the last two lines are the same. Why isn't it sufficient to just tell users not to specify clientcert if they want the default behavior? You can do: host all all 192.168.0.0/16 ident map=omicron but there is no way to specify the default map value of 'no map', so why have one for clientcert? > > Well, sslmode=prefer gives encryption without identification. > > clientcert=no-verify has no value because it is just an optional CA > > check that has no value because optional authentication is useless. It > > The point of the option is not to do optional CA check if possible, > but to allow absence of client cert. We need to have that mode > regardless of named or not named, and I believe we usually provide a > name for default mode. Uh, see above --- not really. The absense of the option is the default action. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee