On Mon, Aug 31, 2020 at 05:56:58PM +0900, Kyotaro Horiguchi wrote: > Hello, Bruce. > > At Thu, 27 Aug 2020 15:41:40 -0400, Bruce Momjian <br...@momjian.us> wrote in > > > My point here is just "are we OK to remove it?" > > > > Yes, in PG 14. Security is confusing enough, so having a mis-named > > option that doesn't do anything more than just not specifying clientcert > > is not useful and should be removed. > > Ok, this is that. If we spcify clientcert=no-verify other than for > "cert" authentication, server complains as the following at startup.
Why does clientcert=no-verify have any value, even for a cert-authentication line? > > LOG: no-verify or 0 is the default setting that is discouraged to use > > explicitly for clientcert option > > HINT: Consider removing the option instead. This option value is going to > > be deprecated in later version. > > CONTEXT: line 90 of configuration file > > "/home/horiguti/data/data_noverify/pg_hba.conf" I think it should just be removed in PG 14. This is a configuration setting, not an SQL-level item that needs a deprecation period. > And, cert clientcert=verifry-ca (and no-verify) is correctly rejected. > > > LOG: clientcert accepts only "verify-full" when using "cert" authentication > > I once I thought that the deprecation message should e WARNING but > later I changed my mind to change it to LOG unifying to surrounding > setting error messages. > > I'm going to register this to the coming CF. I plan to apply this once we are done discussing it. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
