| From: | Marko Kreen <markokr(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | "Dr(dot) Andreas Kunert" <kunert(at)cms(dot)hu-berlin(dot)de>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Feature request: Logging SSL connections |
| Date: | 2013-12-05 16:16:11 |
| Message-ID: | 20131205161611.GA32749@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Dec 05, 2013 at 09:43:31AM -0500, Peter Eisentraut wrote:
> On 12/5/13, 8:53 AM, Dr. Andreas Kunert wrote:
> > we were really missing the information in our log files if (and which
> > of) our users are using SSL during their connections.
> >
> > The attached patch is a very simple solution to this problem - it just
> > tests if the ssl pointer in Port is null. If no, it adds "SSL" to the
> > logfile, otherwise it adds "NOSSL".
>
> That seems useful. Do we need more information, like whether a client
> certificate was presented, or what ciphers were used?
Yes, please show ciphersuite and TLS version too. Andreas, you can use my
recent \conninfo patch as template:
https://github.com/markokr/postgres/commit/7d1b27ac74643abd15007cc4ec0b56ba92b39d90
Also, please show the SSL level also for walsender connections. It's
quite important to know whether they are using SSL or not.
But I think the 'bits' output is unnecessary, as it's cipher strength
is known by ciphersuite. Perhaps it can be removed from \conninfo too.
--
marko
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Johnston | 2013-12-05 16:37:39 | Re: [RFC] Shouldn't we remove annoying FATAL messages from server log? |
| Previous Message | Heikki Linnakangas | 2013-12-05 16:12:48 | Re: Dynamic Shared Memory stuff |