From 2dbb7b9b2279d064f66ce9008869fd0e2b794534 Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Wed, 26 Jan 2022 09:52:41 +0100 Subject: [PATCH] Fix pg_hba_file_rules for authentication method cert For authentication method cert, clientcert=verify-full is implied. But the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca. Per bug #17354 Reported-By: Feike Steenbergen Reviewed-By: Jonathan Katz Backpatch-through: 12 --- src/backend/libpq/hba.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ff57ffa61c..a7f3def184 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) */ if (parsedline->auth_method == uaCert) { - parsedline->clientcert = clientCertCA; + /* + * For auth method cert, client certificate validation is mandatory, and it implies + * the level of verify-full. + */ + parsedline->clientcert = clientCertFull; } return parsedline;