Re: [PATCH] Log details for client certificate failures
Graham Leggett <minfrin@sharp.fm>
From: Graham Leggett <minfrin@sharp.fm>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: pgsql-hackers@postgresql.org, Jacob Champion <jchampion@timescale.com>
Date: 2022-06-30T09:53:58Z
Lists: pgsql-hackers
On 30 Jun 2022, at 10:43, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > I wrote that pg_stat_ssl uses the *issuer* plus serial number to identify a certificate. What your patch shows is the subject and the serial number, which isn't the same thing. Let's get that sorted out one way or the other. Quick observation on this one, the string format of an issuer and serial number is defined as a “Certificate Exact Assertion” in RFC 4523. I added this to httpd a while back: SSL_CLIENT_CERT_RFC4523_CEA It would be good to interoperate. Regards, Graham —
Commits
-
Fix tiny memory leaks
- a9d58bfe8a3a 16.0 landed
-
Don't reflect unescaped cert data to the logs
- 257eb57b50f7 16.0 landed
-
pg_clean_ascii(): escape bytes rather than lose them
- 45b1a67a0fcb 16.0 landed
-
Log details for client certificate failures
- 3a0e385048ad 16.0 landed