Add new clientcert hba option verify-full
Magnus Hagander <magnus@hagander.net>
Add new clientcert hba option verify-full This allows a login to require both that the cn of the certificate matches (like authentication type cert) *and* that another authentication method (such as password or kerberos) succeeds as well. The old value of clientcert=1 maps to the new clientcert=verify-ca, clientcert=0 maps to the new clientcert=no-verify, and the new option erify-full will add the validation of the CN. Author: Julian Markwort, Marius Timmer Reviewed by: Magnus Hagander, Thomas Munro
Files
| Path | Change | +/− |
|---|---|---|
| doc/src/sgml/client-auth.sgml | modified | +16 −9 |
| doc/src/sgml/runtime.sgml | modified | +41 −13 |
| src/backend/libpq/auth.c | modified | +36 −11 |
| src/backend/libpq/hba.c | modified | +24 −9 |
| src/include/libpq/hba.h | modified | +8 −1 |
| src/test/ssl/t/001_ssltests.pl | modified | +22 −1 |
| src/test/ssl/t/SSLServer.pm | modified | +9 −1 |