Home > mailing lists

Re: Allow matching whole DN from a client certificate - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: Allow matching whole DN from a client certificate
Date	March 29, 2021 04:57:00
Msg-id	YGEz7N2dOh2Fjwun@paquier.xyz Whole thread Raw
In response to	Re: Allow matching whole DN from a client certificate (Andrew Dunstan <andrew@dunslane.net>)
Responses	Re: Allow matching whole DN from a client certificate
List	pgsql-hackers

Tree view

On Fri, Mar 26, 2021 at 09:34:03AM -0400, Andrew Dunstan wrote:
> OK, here's a new patch. I hope to commit this within a few days.

Thanks!

+   switch (port->hba->clientcertname)
+   {
+       case clientCertDN:
+           peer_username = port->peer_dn;
+           break;
+       default:
+           peer_username = port->peer_cn;
+   }

This does not need a "default".  I think that you should use "case
clientCertCN" instead here.

+              BIO_get_mem_ptr(bio, &bio_buf);
No status checks?  OpenSSL calls return 1 on success and 0 on failure,
so I would check after <= 0 here.

++                      if (port->hba->clientcertname == clientCertDN)
++                      {
++                              ereport(LOG,
May be better to use a switch() here as well.

It looks like this patch misses src/test/ssl/ssl/client-dn.crt,
causing the SSL tests to fail.
--
Michael

Attachment

signature.asc

pgsql-hackers by date:

From: Kyotaro Horiguchi
Date: 29 March 2021, 04:54:41
Subject: Re: Bug on update timing of walrcv->flushedUpto variable

From: Michael Paquier
Date: 29 March 2021, 05:04:24
Subject: Re: multi-install PostgresNode

Re: Allow matching whole DN from a client certificate - Mailing list pgsql-hackers

Attachment

Previous

Next