| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Sergey Shinderuk <s(dot)shinderuk(at)postgrespro(dot)ru>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fix error handling in be_tls_open_server() |
| Date: | 2023-08-23 21:47:55 |
| Message-ID: | CAAWbhmj6ZkTm8HXOcBeZwQXbdvH=-DQAU5X2XF=M7-QiwPVAoA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Aug 23, 2023 at 6:23 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> This has the smell of a theoretical problem, I can't really imagine a
> certificate where which would produce this. Have you been able to trigger it?
>
> Wouldn't a better fix be to error out on len == -1 as in the attached, maybe
> with a "Shouldn't happen" comment?
Using "cert clientname=DN" in the HBA should let you issue Subjects
without Common Names. Or, if you're using a certificate to authorize
the connection rather than authenticate the user (for example
"scram-sha-256 clientcert=verify-ca" in your HBA), then the certs you
distribute could even be SAN-only with a completely empty Subject.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2023-08-23 21:48:03 | Re: Cirrus-ci is lowering free CI cycles - what to do with cfbot, etc? |
| Previous Message | Andres Freund | 2023-08-23 21:43:41 | Re: Cirrus-ci is lowering free CI cycles - what to do with cfbot, etc? |