BUG #17354: pg_hba_file_rules always shows verify-ca when auth_method=cert

On Tue, Jan 4, 2022 at 4:14 PM PG Bug reporting form
<noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 17354
Logged by: Feike Steenbergen
Email address: feikesteenbergen@gmail.com
PostgreSQL version: 10.0
Operating system: Ubuntu x86_64
Description:

When adding a line to my pg_hba.conf as follows:

hostssl all all all cert clientcert=verify-full

It baffled me that pg_hba_file_rules showed me the following entry:

line_number | 106
type | hostssl
database | {all}
user_name | {all}
address | all
netmask | (null)
auth_method | cert
options | {clientcert=verify-ca}
error | (null)

Which AFAIK, authentication method cert implies verify-full nowadays
(PG14).
I've observed this on PostgreSQL 14 and 13, my guess is that this piece of
code:

src/backend/libpq/hba.c

/*
* Enforce any parameters implied by other settings.
*/
if (parsedline->auth_method == uaCert)
{
parsedline->clientcert = clientCertCA;
}

Is the culprit as it seems to set clientcert=verify-ca unconditionally.

As my C hacking skills are almost non-existent, I dared not write a patch
myself for this one.

Thanks -- your analysis and identification is correct. I've pushed a
patch for this.

Apologies for the delay, I actually had a patch a long time ago, went
for an extra round to verify that this really was just a display issue
and not a security issue, and then promptly forgot to actually commit
it.

--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/