Re: [PATCH] Log details for client certificate failures - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PATCH] Log details for client certificate failures
Date
Msg-id CAAWbhmhn04WP1UeQ1r3YeXvb=46PwvTfpOnVret7pB7RBDV6aQ@mail.gmail.com
Whole thread Raw
In response to Re: [PATCH] Log details for client certificate failures  (Graham Leggett <minfrin@sharp.fm>)
List pgsql-hackers
On Sat, Jul 9, 2022 at 6:49 AM Graham Leggett <minfrin@sharp.fm> wrote:
> Please don’t invent another format, or try and truncate the data. This is a huge headache when troubleshooting.

I hear you, and I agree that correlating these things across machines
is something we should be making easier. I'm just not convinced that
the particular format you've proposed, with a new set of rules for
quoting and escaping, needs to be part of this patch. (And I think
there are good reasons to truncate unverified cert data, so there'd
have to be clear benefits to offset the risk of opening it up.)

Searching Google for "issuer rdnSequence" comes up with mostly false
positives related to LDAP filtering and certificate dumps, and the
true positives seem to be mail threads that you've participated in. Do
many LDAP servers log certificate failures in this format by default?
(For that matter, does httpd?) The discussion at the time you added
this to httpd [1] seemed to be making the point that this was a niche
format, suited mostly for interaction with LDAP filters -- and Kaspar
additionally pointed out that it's not a canonical format, so all of
our implementations would have to have an ad hoc agreement to choose
exactly one encoding.

If you're using randomized serial numbers, you should be able to grep
for those by themselves and successfully match many different formats,
no? To me, that seems good enough for a first patch, considering we
don't currently log any of this information.

--Jacobfi

[1] https://lists.apache.org/thread/1665qc4mod7ppp58qk3bqc2l3wtl3lkn



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Some clean-up work in get_cheapest_group_keys_order()
Next
From: Jacob Champion
Date:
Subject: Re: [PATCH] Log details for client certificate failures