From 253f1025da8c8d6e52f96f764658b76eb59290ad Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Mon, 5 Oct 2020 15:48:40 -0400 Subject: [PATCH] Overhaul pg_hba.conf clientcert's API Since PG 12, clientcert no longer supported only on/off, so remove 1/0 as possible values, and instead support only the text strings 'verify-ca' and 'verify-full'. Remove support for 'no-verify' since that is possible by just not specifying clientcert. Also, throw an error if 'verify-ca' is used and 'cert' authentication is used, since cert authentication requires verify-full. Also improve the docs. THIS IS A BACKWARD INCOMPATIBLE API CHANGE. Reported-by: Kyotaro Horiguchi Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com Author: Kyotaro Horiguchi Backpatch-through: master --- doc/src/sgml/client-auth.sgml | 11 ++++------- doc/src/sgml/runtime.sgml | 5 ++--- src/backend/libpq/hba.c | 18 +++++++----------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index d62d1a061c9..bad3c3469c9 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"","" - In a pg_hba.conf record specifying certificate - authentication, the authentication option clientcert is - assumed to be verify-ca or verify-full, - and it cannot be turned off since a client certificate is necessary for this - method. What the cert method adds to the basic - clientcert certificate validity test is a check that the - cn attribute matches the database user name. + It is redundant to use the clientcert option with + cert authentication because cert + authentication is effectively trust authentication + with clientcert=verify-full. diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 418aa3f85c7..17e938148c5 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 The clientcert authentication option is available for all authentication methods, but only in pg_hba.conf lines specified as hostssl. When clientcert is - not specified or is set to no-verify, the server will still - verify any presented client certificates against its CA file, if one is - configured — but it will not insist that a client certificate be presented. + not specified, the server verifies the client certificate against its CA + file only if a client certificate is presented and the CA is configured. diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 7b54ffc31ea..4c86fb60874 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, *err_msg = "clientcert can only be configured for \"hostssl\" rows"; return false; } - if (strcmp(val, "1") == 0 - || strcmp(val, "verify-ca") == 0) - { - hbaline->clientcert = clientCertCA; - } - else if (strcmp(val, "verify-full") == 0) + + if (strcmp(val, "verify-full") == 0) { hbaline->clientcert = clientCertFull; } - else if (strcmp(val, "0") == 0 - || strcmp(val, "no-verify") == 0) + else if (strcmp(val, "verify-ca") == 0) { if (hbaline->auth_method == uaCert) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"), + errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); - *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"; + *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication"; return false; } - hbaline->clientcert = clientCertOff; + + hbaline->clientcert = clientCertCA; } else {