=== Applying patches on top of PostgreSQL commit ID 088f8e2d568eaa963fe68a15287002081314fad8 === /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf. Fri Mar 7 23:31:30 UTC 2025 On branch cf/5549 nothing to commit, working tree clean === using 'git am' to apply patch ./v1-0001-docs-improve-hostssl-related-descriptions-and-option.patch === Applying: docs: improve hostssl related descriptions and option presentation Using index info to reconstruct a base tree... M doc/src/sgml/client-auth.sgml M doc/src/sgml/runtime.sgml Falling back to patching base and 3-way merge... Auto-merging doc/src/sgml/runtime.sgml Auto-merging doc/src/sgml/client-auth.sgml CONFLICT (content): Merge conflict in doc/src/sgml/client-auth.sgml error: Failed to merge in the changes. hint: Use 'git am --show-current-patch=diff' to see the failed patch Patch failed at 0001 docs: improve hostssl related descriptions and option presentation When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Unstaged changes after reset: M doc/src/sgml/client-auth.sgml M doc/src/sgml/runtime.sgml === using patch(1) to apply patch ./v1-0001-docs-improve-hostssl-related-descriptions-and-option.patch === patch: unrecognized option `--no-backup-if-mismatch' usage: patch [-bCcEeflNnRstuv] [-B backup-prefix] [-D symbol] [-d directory] [-F max-fuzz] [-i patchfile] [-o out-file] [-p strip-count] [-r rej-name] [-V t | nil | never | none] [-x number] [-z backup-ext] [--posix] [origfile [patchfile]] patch direct ++<<<<<<< ours + In addition to the method-specific options listed below, there is a + method-independent authentication option clientcert, which + can be specified in any hostssl record. + This option can be set to verify-ca or + verify-full. Both options require the client + to present a valid (trusted) SSL certificate, while + verify-full additionally enforces that the + cn (Common Name) in the certificate matches + the username or an applicable mapping. + This behavior is similar to the cert authentication + method (see ) but enables pairing + the verification of client certificates with any authentication + method that supports hostssl entries. + + + On any record using client certificate authentication (i.e. one + using the cert authentication method or one + using the clientcert option), you can specify + which part of the client certificate credentials to match using + the clientname option. This option can have one + of two values. If you specify clientname=CN, which + is the default, the username is matched against the certificate's + Common Name (CN). If instead you specify + clientname=DN the username is matched against the + entire Distinguished Name (DN) of the certificate. + This option is probably best used in conjunction with a username map. + The comparison is done with the DN in + RFC 2253 + format. To see the DN of a client certificate + in this format, do + +openssl x509 -in myclient.crt -noout -subject -nameopt RFC2253 | sed "s/^subject=//" + + Care needs to be taken when using this option, especially when using + regular expression matching against the DN. ++======= + The hostssl connection type, in addition to allowing any + authentication-method-specific options, allows the + auth-options detailed in for + the cert authentication method. ++>>>>>>> theirs