| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Graham Leggett <minfrin(at)sharp(dot)fm>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] [Patch] Log SSL certificate verification errors |
| Date: | 2018-01-17 14:03:51 |
| Message-ID: | 8e21f6d8-b46e-6fd0-5118-b0dce8c189b5@2ndquadrant.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Graham, will you be able to respond to my questions or provide an
updated patch within the next week or so?
On 1/2/18 09:17, Peter Eisentraut wrote:
> The server-side changes look pretty reasonable.
>
> On the client side, I'd like to see some comments explaining the
> business around ssl_ex_data_index.
>
> We could probably do with some more tests. I can see the server-side
> message printed once in the logs of the ssl tests, but there ought to be
> some more cases. For the client side, we should think of a way to have
> the tests expose this new functionality.
>
> Some of the new code in verify_cb() should perhaps be a bit more
> defensive. I don't know all these APIs in detail, but it seems possible
> that some calls will return NULL, which could lead to crashes later on.
>
> I'm also wondering whether it is always safe and sane to print subject
> and issuer. I'd imagine a client could craft a silly certificate setup
> on purpose and the server would just print whatever the client said into
> the logs.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christoph Berg | 2018-01-17 14:10:58 | Re: Package version in PG_VERSION and version() |
| Previous Message | Peter Eisentraut | 2018-01-17 14:01:29 | Re: Package version in PG_VERSION and version() |