Re: [PATCH] Log details for client certificate failures

From: Jacob Champion <jchampion(at)timescale(dot)com>
To: Graham Leggett <minfrin(at)sharp(dot)fm>
Cc: Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] Log details for client certificate failures
Date: 2022-07-12 23:05:58
Message-ID: CAAWbhmhn04WP1UeQ1r3YeXvb=46PwvTfpOnVret7pB7RBDV6aQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, Jul 9, 2022 at 6:49 AM Graham Leggett <minfrin(at)sharp(dot)fm> wrote:
> Please don’t invent another format, or try and truncate the data. This is a huge headache when troubleshooting.

I hear you, and I agree that correlating these things across machines
is something we should be making easier. I'm just not convinced that
the particular format you've proposed, with a new set of rules for
quoting and escaping, needs to be part of this patch. (And I think
there are good reasons to truncate unverified cert data, so there'd
have to be clear benefits to offset the risk of opening it up.)

Searching Google for "issuer rdnSequence" comes up with mostly false
positives related to LDAP filtering and certificate dumps, and the
true positives seem to be mail threads that you've participated in. Do
many LDAP servers log certificate failures in this format by default?
(For that matter, does httpd?) The discussion at the time you added
this to httpd [1] seemed to be making the point that this was a niche
format, suited mostly for interaction with LDAP filters -- and Kaspar
additionally pointed out that it's not a canonical format, so all of
our implementations would have to have an ad hoc agreement to choose
exactly one encoding.

If you're using randomized serial numbers, you should be able to grep
for those by themselves and successfully match many different formats,
no? To me, that seems good enough for a first patch, considering we
don't currently log any of this information.

--Jacobfi

[1] https://lists.apache.org/thread/1665qc4mod7ppp58qk3bqc2l3wtl3lkn

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jacob Champion 2022-07-12 23:06:50 Re: [PATCH] Log details for client certificate failures
Previous Message Tom Lane 2022-07-12 23:02:02 Re: Some clean-up work in get_cheapest_group_keys_order()