Fix pg_hba_file_rules for authentication method cert

For authentication method cert, clientcert=verify-full is implied. But the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca. Per bug #17354 Reported-By: Feike Steenbergen Reviewed-By: Jonathan Katz Backpatch-through: 12

Fix pg_hba_file_rules for authentication method cert
For authentication method cert, clientcert=verify-full is implied. But the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca. Per bug #17354 Reported-By: Feike Steenbergen Reviewed-By: Jonathan Katz Backpatch-through: 12
4afae689 · Magnus Hagander · 75674c7e · 4afae689
Commit 4afae689 authored Jan 26, 2022 by Magnus Hagander
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

src/backend/libpq/hba.c src/backend/libpq/hba.c +5 -1

No files found.
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 	 */
 	if (parsedline->auth_method == uaCert)
 	{
-		parsedline->clientcert = clientCertCA;
+		/*
+		 * For auth method cert, client certificate validation is mandatory, and it implies
+		 * the level of verify-full.
+		 */
+		parsedline->clientcert = clientCertFull;
 	}

 	return parsedline;