Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sat, Mar 9, 2019 at 11:03 AM Magnus Hagander wrote: > On Sun, Feb 17, 2019 at 7:50 PM Michael Paquier > wrote: > >> On Fri, Feb 15, 2019 at 08:03:24PM -0800, Andres Freund wrote: >> > I see you've marked the patch as needs review - but as the patch >> > previously was marked as

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sun, Feb 17, 2019 at 7:50 PM Michael Paquier wrote: > On Fri, Feb 15, 2019 at 08:03:24PM -0800, Andres Freund wrote: > > I see you've marked the patch as needs review - but as the patch > > previously was marked as ready-for-committer, and I assume nothing > > substantial has changed, I think

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Feb 15, 2019 at 08:03:24PM -0800, Andres Freund wrote: > I see you've marked the patch as needs review - but as the patch > previously was marked as ready-for-committer, and I assume nothing > substantial has changed, I think RFC might still be the accurate state? Yes, RFC sounds good to

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hi, On 2019-02-06 15:19:56 +, Timmer, Marius wrote: > On Mon, Jan 04, 2019 at 03:06, Michael Paquier wrote: > > I have moved the patch to next CF, waiting on author as the latest > > patch does not apply. Could it be rebased? > The patch is rebased and applies now. I see you've marked the

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Mon, Jan 04, 2019 at 03:06, Michael Paquier wrote: > On Thu, Dec 27, 2018 at 12:14:03PM +0100, Magnus Hagander wrote: >> I definitely am. In fact, I was ages ago (was planning for early December, >> but hey, see wher that let me), so my apologies for failing at that. But it >> definitely

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Thu, Dec 27, 2018 at 12:14:03PM +0100, Magnus Hagander wrote: > I definitely am. In fact, I was ages ago (was planning for early December, > but hey, see wher that let me), so my apologies for failing at that. But it > definitely remains on my list of things to get to! So, Magnus, where are we

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Tue, Dec 25, 2018 at 9:08 AM Michael Paquier wrote: > On Fri, Nov 30, 2018 at 12:24:04PM +1300, Thomas Munro wrote: > > The tests pass and show the feature working correctly. I think this > > is getting close to committable. I see that Magnus has signed up as > > committer. > > It has been

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Nov 30, 2018 at 12:24:04PM +1300, Thomas Munro wrote: > The tests pass and show the feature working correctly. I think this > is getting close to committable. I see that Magnus has signed up as > committer. It has been one month since this message, and the patch is marked as ready for

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hello Thomas, thank you for reviewing our patch. > Why did you put "trust" there instead of "$authmethod" like the previous > lines? That is a good question in deed. We changed that accordingly. > The tests pass and show the feature working correctly. I think this > is getting close to

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Oct 26, 2018 at 2:08 AM Marius Timmer wrote: > We (Julian and I) would like to show you the seventh version of this > patch which includes all the things mentioned before. Unfortunately > we did not find the time to do this earlier. +case uaCert: case uaTrust: Maybe add

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hi, after talking with Marius: The last sentence in his mail concerning the progress suffers from poor translation, and can safely be ignored ;-) We didn't intend to push anybody. VlG-(Marius Timmer &) Arne Scheffer On 25.10.18 15:08, Marius Timmer wrote: Dear hackers, We (Julian and I)

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On 03.08.2018 at 08:09 David Fetter wrote: I've rebased the patch atop master so it applies and passes 'make check-world'. I didn't make any other changes. Best, David. Much appreciated!

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Mon, Jul 30, 2018 at 02:20:43PM +0200, Julian Markwort wrote: > On 07/19/2018 03:00 AM, Thomas Munro wrote: > >Some more comments: > > > > if (parsedline->auth_method == uaCert) > > { > >- parsedline->clientcert = true; > >+ parsedline->clientcert =

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On 07/19/2018 03:00 AM, Thomas Munro wrote: Some more comments: if (parsedline->auth_method == uaCert) { - parsedline->clientcert = true; + parsedline->clientcert = clientCertOn; } The "cert" method is technically redundant with this

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sun, Jul 15, 2018 at 12:47 AM, Julian Markwort wrote: > Also, while writing this part of the docs, I tried to stay below 80 > characters, but I've exceeded it in some places. > There are several other places (several in the .sgml files touched by this > patch), where 80 characters are

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hi Thomas, here's a rebased patch, with your observations corrected. Thomas Munro wrote on 2018-07-13: > + In this case, the CN (nommon name) provided in > "common name" > + CN (Common Name) in the certificate matches > "common"? (why a capital letter here?) I've resorted to "CN (Common

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sat, Apr 14, 2018 at 3:48 AM, Julian Markwort wrote: > [a patch] Hello Julian, Could you please post a rebased patch? I haven't reviewed or tested any code yet, but here's some proof-reading: + This behaviour is similar to the cert autentication method "behavior" (our manual is

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Tue, 2018-04-10 at 18:35 +0200, Magnus Hagander wrote: > As Peter mentionde, there are in src/test/ssl. I forgot about those, > but yes, it would be useful to have that. I've added three tests: - verify-full specified, CN and username match -- should connect ok - verify-full specified, CN and

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Tue, Apr 10, 2018 at 2:10 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote: > On Fri, 2018-04-06 at 20:31 +0200, Magnus Hagander wrote: > > I've been through this one again. > > Thanks for taking the time! > > There is one big omission from it -- it fails to work with the view >

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On 4/10/18 08:10, Julian Markwort wrote: >> Attached is an updated patch with these changes. I'd appreciate it if >> you can run it through your tests to confirm that it didn't break any >> of those usecases. > I've tested a couple of things with this and it seems to work as > expected.

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, 2018-04-06 at 20:31 +0200, Magnus Hagander wrote: > I've been through this one again. Thanks for taking the time! > There is one big omission from it -- it fails to work with the view > pg_hba_file_rules. When fixing that, things started to look kind of > ugly with the "two booleans to

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sun, Apr 1, 2018 at 6:07 PM, Magnus Hagander wrote: > On Sun, Apr 1, 2018 at 6:01 PM, Julian Markwort < > julian.markw...@uni-muenster.de> wrote: > >> On 1. of April 2018 17:46:38 MESZ wrote Magnus Hagander < >> mag...@hagander.net>: >> >> >I assume this is a patch that's

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sun, Apr 1, 2018 at 6:01 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote: > On 1. of April 2018 17:46:38 MESZ wrote Magnus Hagander < > mag...@hagander.net>: > > >I assume this is a patch that's intended to be applied on top of the > >previous patch? If so, please submit the

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On 1. of April 2018 17:46:38 MESZ wrote Magnus Hagander : >I assume this is a patch that's intended to be applied on top of the >previous patch? If so, please submit the complete pach to make sure the >correct combination ends up actually being reviewed. The v02.patch

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Mar 23, 2018 at 3:45 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote: > On Sat, 2018-03-17 at 18:24 +0100, Magnus Hagander wrote: > > The error message "certificate authentication failed for user XYZ: > client certificate contains no user name" is the result of calling >

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Sat, 2018-03-17 at 18:24 +0100, Magnus Hagander wrote: > > The error message "certificate authentication failed for user XYZ: > > > > client certificate contains no user name" is the result of calling > > > > CheckCertAuth when the user presented a certificate without a CN in > > it. > >

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Mar 9, 2018 at 2:11 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote: > Hello Magnus, > > > I think this makes a lot of sense, and can definitely be a useful > > option. > > I was hesistant to write a long and elaborate patch as I wasn't certain > if there was any interest for

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hello Magnus, > I think this makes a lot of sense, and can definitely be a useful > option. I was hesistant to write a long and elaborate patch as I wasn't certain if there was any interest for such an addition, but I'm thankful for your input. > However, the patch is completely lacking

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Feb 16, 2018 at 4:45 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote: > Dear Postgresql Hackers, > > as of now, pg_hba.conf allows us to enable authentification by > certificate through the auth-method "cert", in which case the user must > provide a valid certificate with a