On Sat, 2018-03-17 at 18:24 +0100, Magnus Hagander wrote:
I think we got confused about this; maybe I didn't graps it fully before: CheckCertAuth is currently only called when auth method cert is used. So it actually makes sense to say that certificate authentication failed, I think.
I've modified my patch so it still uses CheckCertAuth, but now a different message is written to the log when clientcert=verify-full was used.
For auth method cert, the function should behave as before.
The user will only see what's printed in the auth_failed() function in auth.c with the addition of the logdetail string, which I don't touch with this patch.
As you said, it makes sense that more detailed information is only available in the server's log.
I've attached an updated version of the patch.
I'm not sure if it is preferred to keep patches as short as possible (mostly with respect to the changed lines in the documentation) or to organize changes so that the text matches the surrounding column width und text flow? Also, I've omitted mentions of the current usage 'clientcert=1' - this is still supported in code, but I think telling new users only about 'clientcert=verify-ca' and 'clientcert=verify-full' is clearer. Or am I wrong on this one?
Greetings
Julian