since-v3.diff.txt

text/plain

Filename: since-v3.diff.txt
Type: text/plain
Part: 0
Message: Re: [PATCH] Log details for client certificate failures
commit 7489e52168b76df3a84c68d79fb22651a05a0c05
Author: Jacob Champion <jchampion@timescale.com>
Date:   Fri Jul 8 09:19:32 2022 -0700

    squash! Log details for client certificate failures
    
    Change detail message, per review.

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 80b361b105..a2cbcdad5f 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1173,9 +1173,10 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
 			(errmsg("client certificate verification failed at depth %d: %s",
 					depth, errstring),
 			 /* only print detail if we have a certificate to print */
-			 subject && errdetail("failed certificate had subject '%s', "
+			 subject && errdetail("Failed certificate data (unverified): "
+									"subject '%s', "
 									"serial number %s, "
-									"purported issuer '%s'",
+									"issuer '%s'",
 								  sub_truncated ? sub_truncated : subject,
 								  serialno ? serialno : _("unknown"),
 								  iss_truncated ? iss_truncated : issuer)));
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index a9b737ed09..0f837e1b9f 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -685,7 +685,7 @@ $node->connect_fails(
 	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
 	log_like => [
 		qr/client certificate verification failed at depth 0: certificate revoked/,
-		qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656577, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
+		qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656577, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
 	],
 	# revoked certificates should not authenticate the user
 	log_unlike => [qr/connection authenticated:/],);
@@ -737,7 +737,7 @@ $node->connect_fails(
 	expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
 	log_like => [
 		qr/client certificate verification failed at depth 0: unable to get local issuer certificate/,
-		qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656576, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
+		qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656576, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
 	]);
 
 $node->connect_fails(
@@ -746,7 +746,7 @@ $node->connect_fails(
 	expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
 	log_like => [
 		qr/client certificate verification failed at depth 0: unable to get local issuer certificate/,
-		qr/failed certificate had subject '\.\.\.\/CN=ssl-123456789012345678901234567890123456789012345678901234567890', serial number 2315418733629425152, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
+		qr/Failed certificate data \(unverified\): subject '\.\.\.\/CN=ssl-123456789012345678901234567890123456789012345678901234567890', serial number 2315418733629425152, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
 	]);
 
 # Use an invalid cafile here so that the next test won't be able to verify the
@@ -761,7 +761,7 @@ $node->connect_fails(
 	expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
 	log_like => [
 		qr/client certificate verification failed at depth 1: unable to get local issuer certificate/,
-		qr/failed certificate had subject '\/CN=Test CA for PostgreSQL SSL regression test client certs', serial number 2315134995201656577, purported issuer '\/CN=Test root CA for PostgreSQL SSL regression test suite'/,
+		qr/Failed certificate data \(unverified\): subject '\/CN=Test CA for PostgreSQL SSL regression test client certs', serial number 2315134995201656577, issuer '\/CN=Test root CA for PostgreSQL SSL regression test suite'/,
 	]);
 
 # test server-side CRL directory
@@ -778,7 +778,7 @@ $node->connect_fails(
 	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
 	log_like => [
 		qr/client certificate verification failed at depth 0: certificate revoked/,
-		qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656577, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
+		qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656577, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/,
 	]);
 
 done_testing();