Home > mailing lists

Re: Fix error handling in be_tls_open_server() - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Fix error handling in be_tls_open_server()
Date	August 24, 2023 00:47:55
Msg-id	CAAWbhmj6ZkTm8HXOcBeZwQXbdvH=-DQAU5X2XF=M7-QiwPVAoA@mail.gmail.com Whole thread Raw
In response to	Re: Fix error handling in be_tls_open_server() (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: Fix error handling in be_tls_open_server()
List	pgsql-hackers

Tree view

On Wed, Aug 23, 2023 at 6:23 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> This has the smell of a theoretical problem, I can't really imagine a
> certificate where which would produce this.  Have you been able to trigger it?
>
> Wouldn't a better fix be to error out on len == -1 as in the attached, maybe
> with a "Shouldn't happen" comment?

Using "cert clientname=DN" in the HBA should let you issue Subjects
without Common Names. Or, if you're using a certificate to authorize
the connection rather than authenticate the user (for example
"scram-sha-256 clientcert=verify-ca" in your HBA), then the certs you
distribute could even be SAN-only with a completely empty Subject.

--Jacob

pgsql-hackers by date:

From: Andres Freund
Date: 24 August 2023, 00:43:41
Subject: Re: Cirrus-ci is lowering free CI cycles - what to do with cfbot, etc?

From: Andres Freund
Date: 24 August 2023, 00:48:03
Subject: Re: Cirrus-ci is lowering free CI cycles - what to do with cfbot, etc?

Re: Fix error handling in be_tls_open_server() - Mailing list pgsql-hackers

Previous

Next