</para>
<para>
- In a <filename>pg_hba.conf</filename> record specifying certificate
- authentication, the authentication option <literal>clientcert</literal> is
- assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
- and it cannot be turned off since a client certificate is necessary for this
- method. What the <literal>cert</literal> method adds to the basic
- <literal>clientcert</literal> certificate validity test is a check that the
- <literal>cn</literal> attribute matches the database user name.
+ It is redundant to use the <literal>clientcert</literal> option with
+ <literal>cert</literal> authentication because <literal>cert</literal>
+ authentication is effectively <literal>trust</literal> authentication
+ with <literal>clientcert=verify-full</literal>.
</para>
</sect1>
The <literal>clientcert</literal> authentication option is available for
all authentication methods, but only in <filename>pg_hba.conf</filename> lines
specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is
- not specified or is set to <literal>no-verify</literal>, the server will still
- verify any presented client certificates against its CA file, if one is
- configured — but it will not insist that a client certificate be presented.
+ not specified, the server verifies the client certificate against its CA
+ file only if a client certificate is presented and the CA is configured.
</para>
<para>
*err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
- if (strcmp(val, "1") == 0
- || strcmp(val, "verify-ca") == 0)
- {
- hbaline->clientcert = clientCertCA;
- }
- else if (strcmp(val, "verify-full") == 0)
+
+ if (strcmp(val, "verify-full") == 0)
{
hbaline->clientcert = clientCertFull;
}
- else if (strcmp(val, "0") == 0
- || strcmp(val, "no-verify") == 0)
+ else if (strcmp(val, "verify-ca") == 0)
{
if (hbaline->auth_method == uaCert)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),
+ errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
- *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";
+ *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
return false;
}
- hbaline->clientcert = clientCertOff;
+
+ hbaline->clientcert = clientCertCA;
}
else
{