Overhaul pg_hba.conf clientcert's API

Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.

Remove support for 'no-verify' since that is possible by just not
specifying clientcert.

Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.

Also improve the docs.

THIS IS A BACKWARD INCOMPATIBLE API CHANGE.

Reported-by: Kyotaro Horiguchi
Discussion: https://postgr.es/m/20200716.093012.1627751694396009053[email protected]

Author: Kyotaro Horiguchi

Backpatch-through: master

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index d62d1a061c9c1140717eb9a1ffd38033138f3b8c..bad3c3469c951ff128712c43d7756f6a2d80f01f 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
    
 
    
-    In a pg_hba.conf record specifying certificate
-    authentication, the authentication option clientcert is
-    assumed to be verify-ca or verify-full,
-    and it cannot be turned off since a client certificate is necessary for this
-    method. What the cert method adds to the basic
-    clientcert certificate validity test is a check that the
-    cn attribute matches the database user name.
+    It is redundant to use the clientcert option with
+    cert authentication because cert
+    authentication is effectively trust authentication
+    with clientcert=verify-full.
    
   
 

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 418aa3f85c7a5354e266143626aefb367366dcb6..17e938148c5cd84a7f0999b052644d5e4bf04e64 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    The clientcert authentication option is available for
    all authentication methods, but only in pg_hba.conf lines
    specified as hostssl.  When clientcert is
-   not specified or is set to no-verify, the server will still
-   verify any presented client certificates against its CA file, if one is
-   configured — but it will not insist that a client certificate be presented.
+   not specified, the server verifies the client certificate against its CA
+   file only if a client certificate is presented and the CA is configured.
   
 
   

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 7b54ffc31ea1dba8b2615d5de1b1d3c5f200ef41..4c86fb608748becd4da9a31c79fc0810d4829797 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
            *err_msg = "clientcert can only be configured for \"hostssl\" rows";
            return false;
        }
-       if (strcmp(val, "1") == 0
-           || strcmp(val, "verify-ca") == 0)
-       {
-           hbaline->clientcert = clientCertCA;
-       }
-       else if (strcmp(val, "verify-full") == 0)
+
+       if (strcmp(val, "verify-full") == 0)
        {
            hbaline->clientcert = clientCertFull;
        }
-       else if (strcmp(val, "0") == 0
-                || strcmp(val, "no-verify") == 0)
+       else if (strcmp(val, "verify-ca") == 0)
        {
            if (hbaline->auth_method == uaCert)
            {
                ereport(elevel,
                        (errcode(ERRCODE_CONFIG_FILE_ERROR),
-                        errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),
+                        errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
                         errcontext("line %d of configuration file \"%s\"",
                                    line_num, HbaFileName)));
-               *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";
+               *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
                return false;
            }
-           hbaline->clientcert = clientCertOff;
+
+           hbaline->clientcert = clientCertCA;
        }
        else
        {