Re: [PATCH] Log details for client certificate failures

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, Jacob Champion <jchampion@timescale.com>
Date: 2022-06-30T09:43:21Z
Lists: pgsql-hackers
On 13.05.22 00:36, Jacob Champion wrote:
> On Thu, 2022-05-05 at 15:12 +0000, Jacob Champion wrote:
>> On Wed, 2022-05-04 at 15:53 +0200, Peter Eisentraut wrote:
>>> In terms of aligning what is printed, I meant that pg_stat_ssl uses the
>>> issuer plus serial number to identify the certificate unambiguously.
>>
>> Oh, that's a great idea. I'll do that too.
> 
> v2 limits the maximum subject length and adds the serial number to the
> logs.

I wrote that pg_stat_ssl uses the *issuer* plus serial number to 
identify a certificate.  What your patch shows is the subject and the 
serial number, which isn't the same thing.  Let's get that sorted out 
one way or the other.

Another point, your patch produces

     LOG:  connection received: host=localhost port=44120
     LOG:  client certificate verification failed at depth 1: ...
     DETAIL:  failed certificate had subject ...
     LOG:  could not accept SSL connection: certificate verify failed

I guess what we really would like is

     LOG:  connection received: host=localhost port=44120
     LOG:  could not accept SSL connection: certificate verify failed
     DETAIL:  client certificate verification failed at depth 1: ...
     failed certificate had subject ...

But I suppose that would be very cumbersome to produce with the callback 
structure provided by OpenSSL?

I'm not saying the proposed way is unacceptable, but maybe it's worth 
being explicit about this tradeoff.



Commits

  1. Fix tiny memory leaks

  2. Don't reflect unescaped cert data to the logs

  3. pg_clean_ascii(): escape bytes rather than lose them

  4. Log details for client certificate failures