diff options
| author | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:52:41 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2022-01-26 09:59:19 +0100 |
| commit | 81596645ca2ba382918fca9e82aa3089db737e14 (patch) | |
| tree | ae43a29e63c59242959c1da96d636da57531b8c4 /src | |
| parent | 213c5aa3bdba5783529d3c0f103dbfadf4f93f50 (diff) | |
| download | postgresql-81596645ca2ba382918fca9e82aa3089db737e14.tar.gz postgresql-81596645ca2ba382918fca9e82aa3089db737e14.zip | |
Fix pg_hba_file_rules for authentication method cert
For authentication method cert, clientcert=verify-full is implied. But
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.
Per bug #17354
Reported-By: Feike Steenbergen
Reviewed-By: Jonathan Katz
Backpatch-through: 12
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/hba.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 031c460d13f..d9a60843470 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1632,7 +1632,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) */ if (parsedline->auth_method == uaCert) { - parsedline->clientcert = clientCertCA; + /* + * For auth method cert, client certificate validation is mandatory, and it implies + * the level of verify-full. + */ + parsedline->clientcert = clientCertFull; } return parsedline; |