Re: [PATCH] Log details for client certificate failures

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-05-03T19:06:12Z
Lists: pgsql-hackers
On 03.05.22 19:04, Jacob Champion wrote:
> One question/concern -- the Subject that's printed to the logs could be
> pretty big (OpenSSL limits the incoming certificate chain to 100K, by
> default), which introduces an avenue for intentional log spamming. Is
> there an existing convention for limiting the length of log output used
> for debugging? Maybe I should just hardcode a smaller limit and
> truncate anything past that? Or we could just log the Common Name,
> which should be limited to 64 bytes...

The information in pg_stat_ssl is limited to NAMEDATALEN (see struct 
PgBackendSSLStatus).

It might make sense to align what your patch prints to identify 
certificates with what is shown in that view.



Commits

  1. Fix tiny memory leaks

  2. Don't reflect unescaped cert data to the logs

  3. pg_clean_ascii(): escape bytes rather than lose them

  4. Log details for client certificate failures