Add new clientcert hba option verify-full

Magnus Hagander <magnus@hagander.net>

Commit: 0516c61b756e39ed6eb7a6bb54311a841002211a
Author: Magnus Hagander <magnus@hagander.net>
Date: 2019-03-09T20:19:47Z
Releases: 12.0
Add new clientcert hba option verify-full

This allows a login to require both that the cn of the certificate
matches (like authentication type cert) *and* that another
authentication method (such as password or kerberos) succeeds as well.

The old value of clientcert=1 maps to the new clientcert=verify-ca,
clientcert=0 maps to the new clientcert=no-verify, and the new option
erify-full will add the validation of the CN.

Author: Julian Markwort, Marius Timmer
Reviewed by: Magnus Hagander, Thomas Munro

Files

PathChange+/−
doc/src/sgml/client-auth.sgml modified +16 −9
doc/src/sgml/runtime.sgml modified +41 −13
src/backend/libpq/auth.c modified +36 −11
src/backend/libpq/hba.c modified +24 −9
src/include/libpq/hba.h modified +8 −1
src/test/ssl/t/001_ssltests.pl modified +22 −1
src/test/ssl/t/SSLServer.pm modified +9 −1

Documentation touched