| From: | Sergey Shinderuk <s(dot)shinderuk(at)postgrespro(dot)ru> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fix error handling in be_tls_open_server() |
| Date: | 2023-08-28 17:39:07 |
| Message-ID: | 0e4d5421-cf10-d400-bc36-6fd31611db5b@postgrespro.ru |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 28.08.2023 18:12, Jacob Champion wrote:
> On Thu, Aug 24, 2023 at 6:25 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>> LD_PRELOAD is the only thing I can think about, but that's very fancy.
>> Even with that, having a certificate with a NULL peer_cn could prove
>> to be useful in the SSL suite to stress more patterns around it?
>
> +1. Last we tried it, OpenSSL didn't want to create a certificate with
> an embedded null, but maybe things have changed?
>
To embed a null byte into the Subject, I first generated a regular
certificate request in the DER (binary) format, then manually inserted
null into the file and recomputed the checksum. Like this:
https://security.stackexchange.com/a/58845
I'll try to add a client certificate lacking a CN to the SSL test suite.
--
Sergey Shinderuk https://postgrespro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jonathan S. Katz | 2023-08-28 17:51:18 | PostgreSQL 16 RC1 release announcement draft |
| Previous Message | Jelte Fennema | 2023-08-28 16:51:02 | Re: Support prepared statement invalidation when result types change |