Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgwire: align client cert validation with pg #47403

Closed
knz opened this issue Apr 12, 2020 · 2 comments
Closed

pgwire: align client cert validation with pg #47403

knz opened this issue Apr 12, 2020 · 2 comments
Labels
A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)

Comments

@knz
Copy link
Contributor

knz commented Apr 12, 2020
edited
Loading

It so happens that pg also provides fine-grained configuration of how client certs are to be validated:

In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full. Both options require the client to present a valid (trusted) SSL certificate, while verify-full additionally enforces that the cn (Common Name) in the certificate matches the username or an applicable mapping. This behavior is similar to the cert authentication method (see Section 20.12) but enables pairing the verification of client certificates with any authentication method that supports hostssl entries.

https://www.postgresql.org/docs/current/auth-pg-hba-conf.html

  1. Today cockroachdb only supports either "nothing" (no cert validation whatsoever) or "verify-full" (via the cert auth method). It would be good if pg's other modes could be checked.

  2. pg support cert checks in addition to any other auth method. In crdb, cert checks are exclusive with every other method.

cc @aaron-crl
@knz knz added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-sql-pgwire pgwire protocol issues. A-security labels Apr 12, 2020
@aaron-crl
Copy link

I believe this is related: #47300

@knz
Copy link
Contributor Author

knz commented Apr 17, 2020

dup #45953

@knz knz closed this as completed Apr 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knz @aaron-crl