| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Log details for client certificate failures |
| Date: | 2022-05-03 19:06:12 |
| Message-ID: | cd03fa63-d4d9-8d3b-f9f5-13206a28d888@enterprisedb.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03.05.22 19:04, Jacob Champion wrote:
> One question/concern -- the Subject that's printed to the logs could be
> pretty big (OpenSSL limits the incoming certificate chain to 100K, by
> default), which introduces an avenue for intentional log spamming. Is
> there an existing convention for limiting the length of log output used
> for debugging? Maybe I should just hardcode a smaller limit and
> truncate anything past that? Or we could just log the Common Name,
> which should be limited to 64 bytes...
The information in pg_stat_ssl is limited to NAMEDATALEN (see struct
PgBackendSSLStatus).
It might make sense to align what your patch prints to identify
certificates with what is shown in that view.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2022-05-03 19:13:05 | Re: failures in t/031_recovery_conflict.pl on CI |
| Previous Message | Robert Haas | 2022-05-03 18:37:22 | Re: fix cost subqueryscan wrong parallel cost |