| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, "andrew(at)dunslane(dot)net" <andrew(at)dunslane(dot)net> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2021-02-26 19:55:18 |
| Message-ID: | d0eab6d2faa8fac0ed9a0efaf3fcb953f2d83e51.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, 2021-01-30 at 16:18 -0500, Andrew Dunstan wrote:
> Making incremental additions to the certificate set easier wouldn't be a
> bad thing.
>
> I wonder if we should really be setting 1 as the serial number, though.
> Might it not be better to use, say, `date +%Y%m%d01` rather like we do
> with catalog version numbers?
I have been experimenting a bit with both of these suggestions; hope to
have something in time for commitfest on Monday. Writing new tests for
NSS has run into the same problems you've mentioned.
FYI, I've pulled the port->peer_dn functionality you've presented here
into my authenticated identity patchset at [1].
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2021-02-26 20:02:00 | Re: Disallow SSL compression? |
| Previous Message | Jacob Champion | 2021-02-26 19:48:50 | Re: More test/kerberos tweaks |