NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit253f102

committed

Overhaul pg_hba.conf clientcert's API

Since PG 12, clientcert no longer supported only on/off, so remove 1/0as possible values, and instead support only the text strings'verify-ca' and 'verify-full'.Remove support for 'no-verify' since that is possible by just notspecifying clientcert.Also, throw an error if 'verify-ca' is used and 'cert' authentication isused, since cert authentication requires verify-full.Also improve the docs.THIS IS A BACKWARD INCOMPATIBLE API CHANGE.Reported-by: Kyotaro HoriguchiDiscussion:https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.comAuthor: Kyotaro HoriguchiBackpatch-through: master

1 parent18c170a commit253f102Copy full SHA for 253f102

File tree

3 files changed

+13

-21

lines changed

doc/src/sgml
- client-auth.sgml
- runtime.sgml
src/backend/libpq
- hba.c

3 files changed

+13

-21

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 4 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""`
`2044`	`2044`	`</para>`
`2045`	`2045`
`2046`	`2046`	`<para>`
`2047`		`- In a <filename>pg_hba.conf</filename> record specifying certificate`
`2048`		`- authentication, the authentication option <literal>clientcert</literal> is`
`2049`		`- assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,`
`2050`		`- and it cannot be turned off since a client certificate is necessary for this`
`2051`		`- method. What the <literal>cert</literal> method adds to the basic`
`2052`		`- <literal>clientcert</literal> certificate validity test is a check that the`
`2053`		`- <literal>cn</literal> attribute matches the database user name.`
	`2047`	`+ It is redundant to use the <literal>clientcert</literal> option with`
	`2048`	`+ <literal>cert</literal> authentication because <literal>cert</literal>`
	`2049`	`+ authentication is effectively <literal>trust</literal> authentication`
	`2050`	`+ with <literal>clientcert=verify-full</literal>.`
`2054`	`2051`	`</para>`
`2055`	`2052`	`</sect1>`
`2056`	`2053`

`‎doc/src/sgml/runtime.sgml`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`2345`	`2345`	`The <literal>clientcert</literal> authentication option is available for`
`2346`	`2346`	`all authentication methods, but only in <filename>pg_hba.conf</filename> lines`
`2347`	`2347`	`specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is`
`2348`		`- not specified or is set to <literal>no-verify</literal>, the server will still`
`2349`		`- verify any presented client certificates against its CA file, if one is`
`2350`		`- configured — but it will not insist that a client certificate be presented.`
	`2348`	`+ not specified, the server verifies the client certificate against its CA`
	`2349`	`+ file only if a client certificate is presented and the CA is configured.`
`2351`	`2350`	`</para>`
`2352`	`2351`
`2353`	`2352`	`<para>`

`‎src/backend/libpq/hba.c`

Lines changed: 7 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char name, char val, HbaLine *hbaline,`
`1730`	`1730`	`*err_msg="clientcert can only be configured for \"hostssl\" rows";`
`1731`	`1731`	`return false;`
`1732`	`1732`	`}`
`1733`		`-if (strcmp(val,"1")==0`
`1734`		`-\|\|strcmp(val,"verify-ca")==0)`
`1735`		`-{`
`1736`		`-hbaline->clientcert=clientCertCA;`
`1737`		`-}`
`1738`		`-elseif (strcmp(val,"verify-full")==0)`
	`1733`	`+`
	`1734`	`+if (strcmp(val,"verify-full")==0)`
`1739`	`1735`	`{`
`1740`	`1736`	`hbaline->clientcert=clientCertFull;`
`1741`	`1737`	`}`
`1742`		`-elseif (strcmp(val,"0")==0`
`1743`		`-\|\|strcmp(val,"no-verify")==0)`
	`1738`	`+elseif (strcmp(val,"verify-ca")==0)`
`1744`	`1739`	`{`
`1745`	`1740`	`if (hbaline->auth_method==uaCert)`
`1746`	`1741`	`{`
`1747`	`1742`	`ereport(elevel,`
`1748`	`1743`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`1749`		`-errmsg("clientcertcannot be set to \"no-verify\" when using \"cert\" authentication"),`
	`1744`	`+errmsg("clientcertonly accepts \"verify-full\" when using \"cert\" authentication"),`
`1750`	`1745`	`errcontext("line %d of configuration file \"%s\"",`
`1751`	`1746`	`line_num,HbaFileName)));`
`1752`		`-*err_msg="clientcertcannotbe set to \"no-verify\" when using \"cert\" authentication";`
	`1747`	`+*err_msg="clientcertcan onlybe set to \"verify-full\" when using \"cert\" authentication";`
`1753`	`1748`	`return false;`
`1754`	`1749`	`}`
`1755`		`-hbaline->clientcert=clientCertOff;`
	`1750`	`+`
	`1751`	`+hbaline->clientcert=clientCertCA;`
`1756`	`1752`	`}`
`1757`	`1753`	`else`
`1758`	`1754`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit253f102

File tree

3 files changed

3 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎doc/src/sgml/runtime.sgml`

`‎src/backend/libpq/hba.c`

0 commit comments