Re: [PATCH] Log details for client certificate failures
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Graham Leggett <minfrin@sharp.fm>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2022-07-01T20:59:42Z
Lists: pgsql-hackers
On Thu, Jun 30, 2022 at 2:54 AM Graham Leggett <minfrin@sharp.fm> wrote: > > I added this to httpd a while back: > > SSL_CLIENT_CERT_RFC4523_CEA > > It would be good to interoperate. What kind of interoperation did you have in mind? Are there existing tools that want to scrape this information for observability? I think the CEA syntax might not be a good fit for this particular patch: first, we haven't actually verified the certificate, so no one should be using it to assert certificate equality (and I'm truncating the Issuer anyway, to avoid letting someone flood the logs). Second, this is designed to be human-readable rather than machine-readable. Thanks, --Jacob
Commits
-
Fix tiny memory leaks
- a9d58bfe8a3a 16.0 landed
-
Don't reflect unescaped cert data to the logs
- 257eb57b50f7 16.0 landed
-
pg_clean_ascii(): escape bytes rather than lose them
- 45b1a67a0fcb 16.0 landed
-
Log details for client certificate failures
- 3a0e385048ad 16.0 landed