Alex Hunsaker wrote:
> On Thu, Oct 23, 2008 at 08:51, Magnus Hagander <magnus@hagander.net> wrote:
>> Magnus Hagander wrote:
>>> This patch adds a configuration option to pg_hba.conf for "clientcert".
>>> This makes it possible to have different client certificate requirements
>>> on different connections. It also makes sure that if you specify that
>>> you want client cert verification and the root store isn't there, we
>>> give an error instead of silently allowing the user in (like we do now).
>>>
>>> This still does not implement actual client certificate validation -
>>> that's for a later step. It just cleans up the handling we have now.
>> Uh, with docs.
>>
>> //Magnus
>
> Hi in getting ready to view the other clientcert patch, I thought I
> should give this a quick look over.
>
> this hunk will break non ssl builds (due to port->peer):
>
> *** a/src/backend/libpq/auth.c
> --- b/src/backend/libpq/auth.c
> ***************
> *** 272,277 **** ClientAuthentication(Port *port)
> --- 272,303 ----
> errmsg("missing or erroneous pg_hba.conf file"),
> errhint("See server log for details.")));
>
> + /*
> + * This is the first point where we have access to the hba record for
> + * the current connection, so perform any verifications based on the
> + * hba options field that should be done *before* the authentication
> + * here.
> + */
> + if (port->hba->clientcert)
> + {
> + /*
> + * When we parse pg_hba.conf, we have already made sure that we have
> + * been able to load a certificate store. Thus, if a certificate is
> + * present on the client, it has been verified against our root
> + * certificate store, and the connection would have been aborted
> + * already if it didn't verify ok.
> + */
> + if (!port->peer)
> + {
> + ereport(FATAL,
> + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> + errmsg("connection requires a valid client certificate")));
> + }
> + }
> +
> + /*
> + * Now proceed to do the actual authentication check
> + */
> switch (port->hba->auth_method)
> {
Good point, thanks!
Added #ifdef USE_SSL around it.
(will address the other part of your response in a separate mail)
//Magnus