pgsql: Add new clientcert hba option verify-full

Add new clientcert hba option verify-full

This allows a login to require both that the cn of the certificate
matches (like authentication type cert) *and* that another
authentication method (such as password or kerberos) succeeds as well.

The old value of clientcert=1 maps to the new clientcert=verify-ca,
clientcert=0 maps to the new clientcert=no-verify, and the new option
erify-full will add the validation of the CN.

Author: Julian Markwort, Marius Timmer
Reviewed by: Magnus Hagander, Thomas Munro

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/0516c61b756e39ed6eb7a6bb54311a841002211a

Modified Files
--------------
doc/src/sgml/client-auth.sgml  | 25 ++++++++++++-------
doc/src/sgml/runtime.sgml      | 54 ++++++++++++++++++++++++++++++++----------
src/backend/libpq/auth.c       | 47 +++++++++++++++++++++++++++---------
src/backend/libpq/hba.c        | 33 +++++++++++++++++++-------
src/include/libpq/hba.h        |  9 ++++++-
src/test/ssl/t/001_ssltests.pl | 23 +++++++++++++++++-
src/test/ssl/t/SSLServer.pm    | 10 +++++++-
7 files changed, 156 insertions(+), 45 deletions(-)