Re: "cert" + clientcert=verify-ca in pg_hba.conf?

On Thu, Jul 16, 2020 at 09:30:12AM +0900, Kyotaro Horiguchi wrote:
> Hello.
> 
> The "Certificate Authentication" section in the doc for PG12 and later
> describes the relation ship with clientcert as follows.
> 
> > In a pg_hba.conf record specifying certificate authentication, the
> > authentication option clientcert is assumed to be verify-ca or
> > verify-full, and it cannot be turned off since a client certificate
> > is necessary for this method. What the cert method adds to the basic
> > clientcert certificate validity test is a check that the cn
> > attribute matches the database user name.
> 
> In reality, cert method is assumed as "verify-full" and does not add
> anything to verify-full and cannot be degraded or turned off. It seems
> to be a mistake on rewriting it when clientcert was changed to accept
> verify-ca/full at PG12.

Agreed.  I was able to test this patch and it does what you explained. 
I have slightly adjusted the doc part of the patch, attached.

> Related to that, pg_hba.conf accepts the combination of "cert" method
> and the option clientcert="verify-ca" but it is ignored. We should
> reject that combination the same way with "cert"+"no-verify".

Are you saying we should _require_ clientcert=verify-full when 'cert'
authentication is used?  I don't see the point of that --- I just
updated the docs to say doing so was duplicate behavior.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee