You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It so happens that pg also provides fine-grained configuration of how client certs are to be validated:
In addition to the method-specific options listed below, there is one method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full. Both options require the client to present a valid (trusted) SSL certificate, while verify-full additionally enforces that the cn (Common Name) in the certificate matches the username or an applicable mapping. This behavior is similar to the cert authentication method (see Section 20.12) but enables pairing the verification of client certificates with any authentication method that supports hostssl entries.
Today cockroachdb only supports either "nothing" (no cert validation whatsoever) or "verify-full" (via the cert auth method). It would be good if pg's other modes could be checked.
pg support cert checks in addition to any other auth method. In crdb, cert checks are exclusive with every other method.
It so happens that pg also provides fine-grained configuration of how client certs are to be validated:
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
Today cockroachdb only supports either "nothing" (no cert validation whatsoever) or "verify-full" (via the
cert
auth method). It would be good if pg's other modes could be checked.pg support cert checks in addition to any other auth method. In crdb, cert checks are exclusive with every other method.
cc @aaron-crl
The text was updated successfully, but these errors were encountered: