Re: [PATCH] Log details for client certificate failures

Graham Leggett <minfrin@sharp.fm>

From: Graham Leggett <minfrin@sharp.fm>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: pgsql-hackers@postgresql.org, Jacob Champion <jchampion@timescale.com>
Date: 2022-06-30T09:53:58Z
Lists: pgsql-hackers
On 30 Jun 2022, at 10:43, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:

> I wrote that pg_stat_ssl uses the *issuer* plus serial number to identify a certificate.  What your patch shows is the subject and the serial number, which isn't the same thing.  Let's get that sorted out one way or the other.

Quick observation on this one, the string format of an issuer and serial number is defined as a “Certificate Exact Assertion” in RFC 4523.

I added this to httpd a while back:

SSL_CLIENT_CERT_RFC4523_CEA

It would be good to interoperate.

Regards,
Graham
—

Commits

  1. Fix tiny memory leaks

  2. Don't reflect unescaped cert data to the logs

  3. pg_clean_ascii(): escape bytes rather than lose them

  4. Log details for client certificate failures