On Tue, Sep 1, 2020 at 01:59:25PM +0900, Kyotaro Horiguchi wrote:
> At Mon, 31 Aug 2020 11:34:29 -0400, Bruce Momjian <br...@momjian.us> wrote in
> > On Mon, Aug 31, 2020 at 05:56:58PM +0900, Kyotaro Horiguchi wrote:
> > > Ok, this is that. If we spcify clientcert=no-verify other than for
> > > "cert" authentication, server complains as the following at startup.
> >
> > Why does clientcert=no-verify have any value, even for a
> > cert-authentication line?
> >
> > > > LOG: no-verify or 0 is the default setting that is discouraged to use
> > > > explicitly for clientcert option
> > > > HINT: Consider removing the option instead. This option value is going
> > > > to be deprecated in later version.
> > > > CONTEXT: line 90 of configuration file
> > > > "/home/horiguti/data/data_noverify/pg_hba.conf"
> >
> > I think it should just be removed in PG 14. This is a configuration
> > setting, not an SQL-level item that needs a deprecation period.
>
> Ok, it is changed to just error out. I tempted to show a suggestion to
> removing the option in that case like the following, but *didn't* in
> this version of the patch.
OK, I have developed the attached patch based on yours. I reordered the
tests, simplified the documentation, and removed the hint since they
will already get a good error message, and we will document this change
in the release notes. It is also good you removed the 0/1 values for
this, since that was also confusing. We will put that removal in the
release notes too.
--
Bruce Momjian <br...@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
new file mode 100644
index 5cd88b4..a0d584f
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
*************** host ... radius radiusservers="server1,s
*** 2042,2054 ****
</para>
<para>
! In a <filename>pg_hba.conf</filename> record specifying certificate
! authentication, the authentication option <literal>clientcert</literal> is
! assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
! and it cannot be turned off since a client certificate is necessary for this
! method. What the <literal>cert</literal> method adds to the basic
! <literal>clientcert</literal> certificate validity test is a check that the
! <literal>cn</literal> attribute matches the database user name.
</para>
</sect1>
--- 2042,2051 ----
</para>
<para>
! It is redundant to use the <literal>clientcert</literal> option with
! <literal>cert</literal> authentication because <literal>cert</literal>
! authentication is effectively <literal>trust</literal> authentication
! with <literal>clientcert=verify-full</literal>.
</para>
</sect1>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index 6cda39f..322ac8e
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 2282,2290 ****
The <literal>clientcert</literal> authentication option is available for
all authentication methods, but only in <filename>pg_hba.conf</filename> lines
specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is
! not specified or is set to <literal>no-verify</literal>, the server will still
! verify any presented client certificates against its CA file, if one is
! configured — but it will not insist that a client certificate be presented.
</para>
<para>
--- 2282,2289 ----
The <literal>clientcert</literal> authentication option is available for
all authentication methods, but only in <filename>pg_hba.conf</filename> lines
specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is
! not specified, the server verifies the client certificate against its CA
! file only if a client certificate is presented and the CA is configured.
</para>
<para>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
new file mode 100644
index 9d63830..3a87673
*** a/src/backend/libpq/hba.c
--- b/src/backend/libpq/hba.c
*************** parse_hba_auth_opt(char *name, char *val
*** 1708,1736 ****
*err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
! if (strcmp(val, "1") == 0
! || strcmp(val, "verify-ca") == 0)
! {
! hbaline->clientcert = clientCertCA;
! }
! else if (strcmp(val, "verify-full") == 0)
{
hbaline->clientcert = clientCertFull;
}
! else if (strcmp(val, "0") == 0
! || strcmp(val, "no-verify") == 0)
{
if (hbaline->auth_method == uaCert)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("clientcert can not be set to \"no-verify\" when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
! *err_msg = "clientcert can not be set to \"no-verify\" when using \"cert\" authentication";
return false;
}
! hbaline->clientcert = clientCertOff;
}
else
{
--- 1708,1732 ----
*err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
!
! if (strcmp(val, "verify-full") == 0)
{
hbaline->clientcert = clientCertFull;
}
! else if (strcmp(val, "verify-ca") == 0)
{
if (hbaline->auth_method == uaCert)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
! errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
! *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
return false;
}
!
! hbaline->clientcert = clientCertCA;
}
else
{
