[DOCS] hba_conf hostssl clientcert=1 no longer required in 9.4

[sri...@gmail.com]

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
Description:

17.9.1. Using Client Certificates
(https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)

The first paragraph contains this line "...and set the clientcert parameter
to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right
for 9.4.

--
Sent via pgsql-docs mailing list (pgsql...@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs

[Tom Lane]

sri...@gmail.com writes:
> The following documentation comment has been logged on the website:
> Page: https://www.postgresql.org/docs/9.4/static/ssl-tcp.html
> Description:

> 17.9.1. Using Client Certificates
> (https://www.postgresql.org/docs/9.4/static/ssl-tcp.html)

> The first paragraph contains this line "...and set the clientcert parameter
> to 1 on the appropriate hostssl line(s) in pg_hba.conf" which isn't right
> for 9.4.

Hmm, what do you think isn't right about it?

ISTM there's an omission here, which is that it'd be useful to mention
that clientcert=1 is assumed for the "cert" authentication method. But
the text seems okay as far as it goes.

regards, tom lane

[Tom Lane]

Srikanth Venkatesh <sri...@gmail.com> writes:
> I guess it should mention that setting the parameter to 1 is no longer
> required... and that the default is 1 for "cert".

In what way is it no longer required? Without that flag set, there's
no insistence on a validated client cert.

[Tom Lane]

Srikanth Venkatesh <sri...@gmail.com> writes:
> So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So
> "clientcert" is an auth-method option of "cert"? That isn't exactly clear
> in the hba_conf documentation -
> https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT .
> That part of the document doesn't mention what you just said.

That's exactly not what I said.

I've tried to clarify this at
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=745513c70282180afd83c666e43bdb0b6fb8c688

[Srikanth Venkatesh]

I guess it should mention that setting the parameter to 1 is no longer required... and that the default is 1 for "cert".

[Srikanth Venkatesh]

So, one has to use "cert clientcert=1" and not just "cert" in hba_conf? So "clientcert" is an auth-method option of "cert"? That isn't exactly clear in the hba_conf documentation - https://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-CERT . That part of the document doesn't mention what you just said.

On Fri, Jul 15, 2016 at 6:33 PM, Tom Lane <t...@sss.pgh.pa.us> wrote:

Srikanth Venkatesh <sri...@gmail.com> writes:
> I guess it should mention that setting the parameter to 1 is no longer
> required... and that the default is 1 for "cert".