diff options
| author | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:52:41 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:59:14 +0100 |
| commit | 4afae689ead4ffbfdbaac1cd72794c729446596e (patch) | |
| tree | e89a43eb4e86040a890dbb035d4cbba0bf980ee8 /src | |
| parent | 75674c7ec1b1607e7013b5cebcb22d9c8b4b2cb6 (diff) | |
| download | postgresql-4afae689ead4ffbfdbaac1cd72794c729446596e.tar.gz postgresql-4afae689ead4ffbfdbaac1cd72794c729446596e.zip | |
Fix pg_hba_file_rules for authentication method cert
For authentication method cert, clientcert=verify-full is implied. But
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.
Per bug #17354
Reported-By: Feike Steenbergen
Reviewed-By: Jonathan Katz
Backpatch-through: 12
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/hba.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 3be8778d216..64e59d4d88a 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) */ if (parsedline->auth_method == uaCert) { - parsedline->clientcert = clientCertCA; + /* + * For auth method cert, client certificate validation is mandatory, and it implies + * the level of verify-full. + */ + parsedline->clientcert = clientCertFull; } return parsedline; |