The following bug has been logged on the website:
Bug reference: 17354
Logged by: Feike Steenbergen
Email address: feikesteenbergen@gmail.com
PostgreSQL version: 10.0
Operating system: Ubuntu x86_64
Description:
When adding a line to my pg_hba.conf as follows:
hostssl all all all cert clientcert=verify-full
It baffled me that pg_hba_file_rules showed me the following entry:
line_number | 106
type | hostssl
database | {all}
user_name | {all}
address | all
netmask | (null)
auth_method | cert
options | {clientcert=verify-ca}
error | (null)
Which AFAIK, authentication method cert implies verify-full nowadays
(PG14).
I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
code:
src/backend/libpq/hba.c
/*
* Enforce any parameters implied by other settings.
*/
if (parsedline->auth_method == uaCert)
{
parsedline->clientcert = clientCertCA;
}
Is the culprit as it seems to set clientcert=verify-ca unconditionally.
As my C hacking skills are almost non-existent, I dared not write a patch
myself for this one.