"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes:
> I am playing around with postgres ssl encryption. I am confused about client certificate authentication:
> <quote>
> The second approach combines any authentication method for hostssl entries with the verification of client
certificatesby setting the clientcert authentication option to verify-ca or verify-full. The former option only
enforcesthat the certificate is valid, while the latter also ensures that the cn (Common Name) in the certificate
matchesthe user name or an applicable mapping.
> </quote>
> https://www.postgresql.org/docs/12/ssl-tcp.html
Given that your server is 9.6.x, you're reading the wrong version
of the docs. Per
https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html
the only clientcert value that does anything is "1":
In addition to the method-specific options listed below, there is one
method-independent authentication option clientcert, which can be
specified in any hostssl record. When set to 1, this option requires
the client to present a valid (trusted) SSL certificate, in addition
to the other requirements of the authentication method.
regards, tom lane