Participants
Srikanth Venkatesh
Srikanth Venkatesh
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Srikanth VenkateshSrikanth Venkatesh
Jul 13, 2016
#2Tom LaneTom Laneto Srikanth Venkatesh (#1)
Jul 14, 2016
#3Srikanth VenkateshSrikanth Venkateshto Tom Lane (#2)
Jul 15, 2016
#4Tom LaneTom Laneto Srikanth Venkatesh (#3)
Jul 15, 2016
#5Srikanth VenkateshSrikanth Venkateshto Tom Lane (#4)
Jul 16, 2016
#6Tom LaneTom Laneto Srikanth Venkatesh (#5)
Jul 16, 2016

hba_conf hostssl clientcert=1 no longer required in 9.4

Started by Srikanth Venkateshalmost 10 years ago6 messagesdocs
Jump to latest
#1Srikanth Venkatesh
Srikanth Venkatesh
srix55@gmail.com

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
Description:

17.9.1. Using Client Certificates
(https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)

The first paragraph contains this line "...and set the clientcert parameter
to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right
for 9.4.

--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Srikanth Venkatesh (#1)
Re: hba_conf hostssl clientcert=1 no longer required in 9.4

srix55@gmail.com writes:

The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
Description:

17.9.1. Using Client Certificates
(https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)

The first paragraph contains this line "...and set the clientcert parameter
to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right
for 9.4.

Hmm, what do you think isn't right about it?

ISTM there's an omission here, which is that it'd be useful to mention
that clientcert=1 is assumed for the "cert" authentication method. But
the text seems okay as far as it goes.

regards, tom lane

--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

#3Srikanth Venkatesh
Srikanth Venkatesh
srix55@gmail.com
In reply to: Tom Lane (#2)
Re: hba_conf hostssl clientcert=1 no longer required in 9.4

I guess it should mention that setting the parameter to 1 is no longer
required... and that the default is 1 for "cert".

On Thu, Jul 14, 2016 at 11:00 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Show quoted text

srix55@gmail.com writes:

The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
Description:

17.9.1. Using Client Certificates
(https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)

The first paragraph contains this line &quot;...and set the clientcert

parameter

to 1 on the appropriate hostssl line(s) in pg_hba.conf&quot; which

isn&#39;t right

for 9.4.

Hmm, what do you think isn't right about it?

ISTM there's an omission here, which is that it'd be useful to mention
that clientcert=1 is assumed for the "cert" authentication method. But
the text seems okay as far as it goes.

regards, tom lane

Import Notes
Resolved by subject fallback
#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Srikanth Venkatesh (#3)
Re: hba_conf hostssl clientcert=1 no longer required in 9.4

Srikanth Venkatesh <srix55@gmail.com> writes:

I guess it should mention that setting the parameter to 1 is no longer
required... and that the default is 1 for "cert".

In what way is it no longer required? Without that flag set, there's
no insistence on a validated client cert.

regards, tom lane

--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

#5Srikanth Venkatesh
Srikanth Venkatesh
srix55@gmail.com
In reply to: Tom Lane (#4)
Re: hba_conf hostssl clientcert=1 no longer required in 9.4

So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So
"clientcert" is an auth-method option of "cert"? That isn't exactly clear
in the hba_conf documentation -
https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT .
That part of the document doesn't mention what you just said.

On Fri, Jul 15, 2016 at 6:33 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Show quoted text

Srikanth Venkatesh <srix55@gmail.com> writes:

I guess it should mention that setting the parameter to 1 is no longer
required... and that the default is 1 for "cert".

In what way is it no longer required? Without that flag set, there's
no insistence on a validated client cert.

regards, tom lane

#6Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Srikanth Venkatesh (#5)
Re: hba_conf hostssl clientcert=1 no longer required in 9.4

Srikanth Venkatesh <srix55@gmail.com> writes:

So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So
"clientcert" is an auth-method option of "cert"? That isn't exactly clear
in the hba_conf documentation -
https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT .
That part of the document doesn't mention what you just said.

That's exactly not what I said.

I've tried to clarify this at
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=745513c70282180afd83c666e43bdb0b6fb8c688

regards, tom lane

--
Sent via pgsql-docs mailing list (pgsql-docs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

← Back to Topics