On 03.05.22 19:04, Jacob Champion wrote:
> One question/concern -- the Subject that's printed to the logs could be
> pretty big (OpenSSL limits the incoming certificate chain to 100K, by
> default), which introduces an avenue for intentional log spamming. Is
> there an existing convention for limiting the length of log output used
> for debugging? Maybe I should just hardcode a smaller limit and
> truncate anything past that? Or we could just log the Common Name,
> which should be limited to 64 bytes...
The information in pg_stat_ssl is limited to NAMEDATALEN (see struct
PgBackendSSLStatus).
It might make sense to align what your patch prints to identify
certificates with what is shown in that view.