Hi, Cary.
On 3/2/20 1:06 PM, Cary Huang wrote:
> Hi
>
> I found a document bug about client authentication using TLS
> certificate. When clientcert authentication is enabled in pg_hba.conf,
> libpq does not verify that the *common name*in certificate
> matches*database username*like it is described in the documentation
> before allowing client connection.
>
> Instead, when sslmode is set to “verify-full”, libpq will verify if the
> *server host name*matches the *common name *in client certificate.
This sounds incorrect. My understanding is that the *server* host name
is always matched with the *server* common name.
When
> sslmode is set to “verify-ca”, libpq will verify that the client is
> trustworthy by checking the certificate trust chain up to the root
> certificate and it does not verify *server hostname*and
> certificate*common name *match in this case.
Similarly, libpq will verify the *server* is trustworthy by checking the
*server* certificate up to the root. It does not verify that the host
name matches the common name in the *server* certificate.
In all cases, libpq is responsible for verifying the *server* is who it
claims to be.
-- Chris