Fix pg_hba_file_rules for authentication method cert

For authentication method cert, clientcert=verify-full is implied. But the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca. Per bug #17354 Reported-By: Feike Steenbergen Reviewed-By: Jonathan Katz Backpatch-through: 12
author: Magnus Hagander <magnus@hagander.net> 2022-01-26 09:52:41 +0100
committer: Magnus Hagander <magnus@hagander.net> 2022-01-26 09:59:23 +0100
commit: aa58f5c53142782bd6a376a578d85d5ddd13d751 (patch)
tree: e304dc7568adc8e4be05d1361ece67bbf2b5000a
parent: 64b2c6507e5714b5c688b9c5cc551fbedb7b3b58 (diff)
download: postgresql-aa58f5c53142782bd6a376a578d85d5ddd13d751.tar.gz
postgresql-aa58f5c53142782bd6a376a578d85d5ddd13d751.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index baf78603693..755b28b32b3 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1632,7 +1632,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 	 */
 	if (parsedline->auth_method == uaCert)
 	{
-		parsedline->clientcert = clientCertCA;
+		/*
+		 * For auth method cert, client certificate validation is mandatory, and it implies
+		 * the level of verify-full.
+		 */
+		parsedline->clientcert = clientCertFull;
 	}
 
 	return parsedline;
author	Magnus Hagander <magnus@hagander.net>	2022-01-26 09:52:41 +0100
committer	Magnus Hagander <magnus@hagander.net>	2022-01-26 09:59:23 +0100
commit	aa58f5c53142782bd6a376a578d85d5ddd13d751 (patch)
tree	e304dc7568adc8e4be05d1361ece67bbf2b5000a
parent	64b2c6507e5714b5c688b9c5cc551fbedb7b3b58 (diff)
download	postgresql-aa58f5c53142782bd6a376a578d85d5ddd13d751.tar.gz postgresql-aa58f5c53142782bd6a376a578d85d5ddd13d751.zip