Re: BUG #17354: pg_hba_file_rules always shows verify-ca when auth_method=cert

On Tue, Jan 4, 2022 at 4:14 PM PG Bug reporting form
<noreply@postgresql.org> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference:      17354
> Logged by:          Feike Steenbergen
> Email address:      feikesteenbergen@gmail.com
> PostgreSQL version: 10.0
> Operating system:   Ubuntu x86_64
> Description:
>
> When adding a line to my pg_hba.conf as follows:
>
> hostssl all all all cert clientcert=verify-full
>
> It baffled me that pg_hba_file_rules showed me the following entry:
>
> line_number | 106
> type        | hostssl
> database    | {all}
> user_name   | {all}
> address     | all
> netmask     | (null)
> auth_method | cert
> options     | {clientcert=verify-ca}
> error       | (null)
>
> Which AFAIK, authentication method cert implies verify-full nowadays
> (PG14).
> I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
> code:
>
> src/backend/libpq/hba.c
>
>         /*
>          * Enforce any parameters implied by other settings.
>          */
>         if (parsedline->auth_method == uaCert)
>         {
>                 parsedline->clientcert = clientCertCA;
>         }
>
> Is the culprit as it seems to set clientcert=verify-ca unconditionally.
>
> As my C hacking skills are almost non-existent, I dared not write a patch
> myself for this one.

Thanks -- your analysis and identification is correct. I've pushed a
patch for this.

Apologies for the delay, I actually had a patch a long time ago, went
for an extra round to verify that this really was just a display issue
and not a security issue, and then promptly forgot to actually commit
it.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/