From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] Log details for client certificate failures |
Date: | 2022-07-01 20:51:24 |
Message-ID: | CAAWbhmggsEacYW+cahN7USucsTgK9P4c5VMLaxWRdXvGQ=+BHA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jun 30, 2022 at 2:43 AM Peter Eisentraut
<peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
>
> On 13.05.22 00:36, Jacob Champion wrote:
> > v2 limits the maximum subject length and adds the serial number to the
> > logs.
>
> I wrote that pg_stat_ssl uses the *issuer* plus serial number to
> identify a certificate. What your patch shows is the subject and the
> serial number, which isn't the same thing. Let's get that sorted out
> one way or the other.
Sorry for the misunderstanding! v3 adds the Issuer to the logs as well.
I wanted to clarify that this "issuer" has not actually been verified,
but all I could come up with was "purported issuer" which doesn't read
well to me. "Claimed issuer"? "Alleged issuer"? Thoughts?
> Another point, your patch produces
>
> LOG: connection received: host=localhost port=44120
> LOG: client certificate verification failed at depth 1: ...
> DETAIL: failed certificate had subject ...
> LOG: could not accept SSL connection: certificate verify failed
>
> I guess what we really would like is
>
> LOG: connection received: host=localhost port=44120
> LOG: could not accept SSL connection: certificate verify failed
> DETAIL: client certificate verification failed at depth 1: ...
> failed certificate had subject ...
>
> But I suppose that would be very cumbersome to produce with the callback
> structure provided by OpenSSL?
I was about to say "yes, very cumbersome", but I actually think we
might be able to do that without bubbling the error up through
multiple callback layers, using SSL_set_ex_data() and friends. I'll
take a closer look.
Thanks!
--Jacob
Attachment | Content-Type | Size |
---|---|---|
since-v2.diff.txt | text/plain | 7.0 KB |
v3-0001-Log-details-for-client-certificate-failures.patch | text/x-patch | 14.1 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Jacob Champion | 2022-07-01 20:59:42 | Re: [PATCH] Log details for client certificate failures |
Previous Message | Robert Haas | 2022-07-01 20:47:00 | Re: postgres_fdw versus regconfig and similar constants |