Home > mailing lists

Re: Allow matching whole DN from a client certificate - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: Allow matching whole DN from a client certificate
Date	March 30, 2021 04:08:33
Msg-id	YGJ6Efu3u4DAXsBV@paquier.xyz Whole thread Raw
In response to	Re: Allow matching whole DN from a client certificate (Michael Paquier <michael@paquier.xyz>)
List	pgsql-hackers

Tree view

On Mon, Mar 29, 2021 at 10:57:00AM +0900, Michael Paquier wrote:
> +   switch (port->hba->clientcertname)
> +   {
> +       case clientCertDN:
> +           peer_username = port->peer_dn;
> +           break;
> +       default:
> +           peer_username = port->peer_cn;
> +   }
>
> This does not need a "default".  I think that you should use "case
> clientCertCN" instead here.
>
> +              BIO_get_mem_ptr(bio, &bio_buf);
> No status checks?  OpenSSL calls return 1 on success and 0 on failure,
> so I would check after <= 0 here.
>
> ++                      if (port->hba->clientcertname == clientCertDN)
> ++                      {
> ++                              ereport(LOG,
> May be better to use a switch() here as well.
>
> It looks like this patch misses src/test/ssl/ssl/client-dn.crt,
> causing the SSL tests to fail.

For the sake of the archives, this has been applied as of 6d7a6fe with
all those nits from me addressed.
--
Michael

Attachment

signature.asc

pgsql-hackers by date:

From: Michael Paquier
Date: 30 March 2021, 04:06:19
Subject: Re: Add missing function abs (interval)

From: Kohei KaiGai
Date: 30 March 2021, 04:11:30
Subject: Re: TRUNCATE on foreign table

Re: Allow matching whole DN from a client certificate - Mailing list pgsql-hackers

Attachment

Previous

Next