Re: [PATCH] Log details for client certificate failures
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
Jacob Champion <jchampion@timescale.com>
Date: 2022-06-30T09:43:21Z
Lists: pgsql-hackers
On 13.05.22 00:36, Jacob Champion wrote:
> On Thu, 2022-05-05 at 15:12 +0000, Jacob Champion wrote:
>> On Wed, 2022-05-04 at 15:53 +0200, Peter Eisentraut wrote:
>>> In terms of aligning what is printed, I meant that pg_stat_ssl uses the
>>> issuer plus serial number to identify the certificate unambiguously.
>>
>> Oh, that's a great idea. I'll do that too.
>
> v2 limits the maximum subject length and adds the serial number to the
> logs.
I wrote that pg_stat_ssl uses the *issuer* plus serial number to
identify a certificate. What your patch shows is the subject and the
serial number, which isn't the same thing. Let's get that sorted out
one way or the other.
Another point, your patch produces
LOG: connection received: host=localhost port=44120
LOG: client certificate verification failed at depth 1: ...
DETAIL: failed certificate had subject ...
LOG: could not accept SSL connection: certificate verify failed
I guess what we really would like is
LOG: connection received: host=localhost port=44120
LOG: could not accept SSL connection: certificate verify failed
DETAIL: client certificate verification failed at depth 1: ...
failed certificate had subject ...
But I suppose that would be very cumbersome to produce with the callback
structure provided by OpenSSL?
I'm not saying the proposed way is unacceptable, but maybe it's worth
being explicit about this tradeoff.
Commits
-
Fix tiny memory leaks
- a9d58bfe8a3a 16.0 landed
-
Don't reflect unescaped cert data to the logs
- 257eb57b50f7 16.0 landed
-
pg_clean_ascii(): escape bytes rather than lose them
- 45b1a67a0fcb 16.0 landed
-
Log details for client certificate failures
- 3a0e385048ad 16.0 landed