@@ -2042,13 +2042,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
20422042 </para>
20432043
20442044 <para>
2045- In a <filename>pg_hba.conf</filename> record specifying certificate
2046- authentication, the authentication option <literal>clientcert</literal> is
2047- assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
2048- and it cannot be turned off since a client certificate is necessary for this
2049- method. What the <literal>cert</literal> method adds to the basic
2050- <literal>clientcert</literal> certificate validity test is a check that the
2051- <literal>cn</literal> attribute matches the database user name.
2045+ It is redundant to use the <literal>clientcert</literal> option with
2046+ <literal>cert</literal> authentication because <literal>cert</literal>
2047+ authentication is effectively <literal>trust</literal> authentication
2048+ with <literal>clientcert=verify-full</literal>.
20522049 </para>
20532050 </sect1>
20542051