Graham, will you be able to respond to my questions or provide an
updated patch within the next week or so?
On 1/2/18 09:17, Peter Eisentraut wrote:
> The server-side changes look pretty reasonable.
>
> On the client side, I'd like to see some comments explaining the
> business around ssl_ex_data_index.
>
> We could probably do with some more tests. I can see the server-side
> message printed once in the logs of the ssl tests, but there ought to be
> some more cases. For the client side, we should think of a way to have
> the tests expose this new functionality.
>
> Some of the new code in verify_cb() should perhaps be a bit more
> defensive. I don't know all these APIs in detail, but it seems possible
> that some calls will return NULL, which could lead to crashes later on.
>
> I'm also wondering whether it is always safe and sane to print subject
> and issuer. I'd imagine a client could craft a silly certificate setup
> on purpose and the server would just print whatever the client said into
> the logs.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
