Re: "cert" + clientcert=verify-ca in pg_hba.conf?

On Wed, Aug 26, 2020 at 11:41:39AM +0900, Kyotaro Horiguchi wrote:
> At Tue, 25 Aug 2020 10:04:44 -0400, Bruce Momjian <bruce@momjian.us> wrote in 
> > I think there are a few problems here.  In the docs, it says "will still
> > verify", but it doesn't say if it verifies the CA, or the CA _and_ the
> > CN/username.
> 
> It verifies only CA.

OK, that will need to be clarified.

> > Second, since it is optional, what value does it have?
> > 
> > > > Why is this useful?
> > > 
> > > I agree, but there seems to be an implementation reason for the
> > > behavior. To identify an hba-line, some connection parameters like
> > > user name and others sent over a connection is required.  Thus the
> > > clientcert option in the to-be-identified hba-line is unknown prior to
> > > the time SSL connection is made. So the documentation might need
> > > amendment. Roughly something like the following?
> > 
> > Well, I realize internally we need a way to indicate clientcert is not
> > used, but why do we bother exposing that to the user as a named option?
> 
> Because we think we need any named value for every alternatives
> including the default value?

Well, not putting clientcert at all gives the default behavior, so why
have clientcert=no-verify?

> > And you are right that the option name 'no-verify' is wrong since it
> > will verify the CA if it exists, so it more like 'optionally-verify',
> > which seems useless from a user interface perspective.
> > 
> > I guess the behavior of no-verify matches our client-side
> > sslmode=prefer, but at least that has the value of using SSL if
> > available, which prevents user-visible network traffic, but doesn't
> > force it, but I am not sure what the value of optional certificate
> > verification is, since verification is all it does.  I guess it should
> > be called "prefer-verify".
> 
> The point of no-verify is to allow the absence of client
> certificate. It is similar to "prefer" in a sense that it allows the
> absence of availability of an SSL connection. (In a similar way to
> "prefer", we could "fall back" to "no client cert" SSL connection
> after verification failure but I think it's not worth doing.)

Well, sslmode=prefer gives encryption without identification. 
clientcert=no-verify has no value because it is just an optional CA
check that has no value because optional authentication is useless.  It
is like saying you can type in the password if you want, and we will
check it, or you can just not type in the password.

> "prefer-verify" seems right in that sense. But I'm not sure we may
> break backward compatibility for the reason.

True, but right now it is inaccurate so I think it just need to be fixed
or removed and documented in the PG 14 release notes.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee