Re: "cert" + clientcert=verify-ca in pg_hba.conf?

Поиск
Список
Период
Сортировка
От Kyotaro Horiguchi
Тема Re: "cert" + clientcert=verify-ca in pg_hba.conf?
Дата
Msg-id 20200825.155320.986648039251743210.horikyota.ntt@gmail.com
обсуждение исходный текст
Ответ на Re: "cert" + clientcert=verify-ca in pg_hba.conf?  (Bruce Momjian <bruce@momjian.us>)
Ответы Re: "cert" + clientcert=verify-ca in pg_hba.conf?  (Bruce Momjian <bruce@momjian.us>)
Список pgsql-hackers
Дерево обсуждения 
At Mon, 24 Aug 2020 23:04:51 -0400, Bruce Momjian <bruce@momjian.us> wrote in 
> > > I don't see "no-verify" mentioned anywhere in our docs.
> > 
> > no-verify itself is mentioned here.
> > 
> > https://www.postgresql.org/docs/13/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> 
> Oh, I see it now, thanks.  Do you have any idea what this part of the
> docs means?
> 
>     When <literal>clientcert</literal> is not specified or is set to
>     <literal>no-verify</literal>, the server will still verify any presented
>     client certificates against its CA file, if one is configured —
>     but it will not insist that a client certificate be presented.

Ah.. Indeed.

Even if clientcert is not set or set to no-verify, it checks client
certificate against the CA if any. If verify-ca, client certificate
must be provided. As the result, no-verify actually fails if client
had a certificate that is not backed by the CA.

> Why is this useful?

I agree, but there seems to be an implementation reason for the
behavior. To identify an hba-line, some connection parameters like
user name and others sent over a connection is required.  Thus the
clientcert option in the to-be-identified hba-line is unknown prior to
the time SSL connection is made. So the documentation might need
amendment. Roughly something like the following?

===
When <literal>clientcert</literal> is not specified or is set
to<literal>no-verify</literal>, clients can connect to server without
having a client certificate.

Note: Regardless of the setting of <literal>clientcert</literal>,
connection can end with failure if a client certificate that cannot be
verified by the server is stored in the ~/.postgresql directory.
===

By the way, the following table line might need to be changed?

libpq-ssl.html:

>      <entry><filename>~/.postgresql/postgresql.crt</filename></entry>
>      <entry>client certificate</entry>
-      <entry>requested by server</entry>

The file is actually not requested by server, client just pushes to
server if any, unconditionally.

+      <entry>sent to server</entry>


regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Peter Eisentraut
Дата:
Сообщение: some unused parameters cleanup
Следующее
От: Pavel Stehule
Дата:
Сообщение: Re: proposal - function string_to_table