commit 7489e52168b76df3a84c68d79fb22651a05a0c05 Author: Jacob Champion Date: Fri Jul 8 09:19:32 2022 -0700 squash! Log details for client certificate failures Change detail message, per review. diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 80b361b105..a2cbcdad5f 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1173,9 +1173,10 @@ verify_cb(int ok, X509_STORE_CTX *ctx) (errmsg("client certificate verification failed at depth %d: %s", depth, errstring), /* only print detail if we have a certificate to print */ - subject && errdetail("failed certificate had subject '%s', " + subject && errdetail("Failed certificate data (unverified): " + "subject '%s', " "serial number %s, " - "purported issuer '%s'", + "issuer '%s'", sub_truncated ? sub_truncated : subject, serialno ? serialno : _("unknown"), iss_truncated ? iss_truncated : issuer))); diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index a9b737ed09..0f837e1b9f 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -685,7 +685,7 @@ $node->connect_fails( expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, log_like => [ qr/client certificate verification failed at depth 0: certificate revoked/, - qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656577, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, + qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656577, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, ], # revoked certificates should not authenticate the user log_unlike => [qr/connection authenticated:/],); @@ -737,7 +737,7 @@ $node->connect_fails( expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, log_like => [ qr/client certificate verification failed at depth 0: unable to get local issuer certificate/, - qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656576, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, + qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656576, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, ]); $node->connect_fails( @@ -746,7 +746,7 @@ $node->connect_fails( expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, log_like => [ qr/client certificate verification failed at depth 0: unable to get local issuer certificate/, - qr/failed certificate had subject '\.\.\.\/CN=ssl-123456789012345678901234567890123456789012345678901234567890', serial number 2315418733629425152, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, + qr/Failed certificate data \(unverified\): subject '\.\.\.\/CN=ssl-123456789012345678901234567890123456789012345678901234567890', serial number 2315418733629425152, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, ]); # Use an invalid cafile here so that the next test won't be able to verify the @@ -761,7 +761,7 @@ $node->connect_fails( expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, log_like => [ qr/client certificate verification failed at depth 1: unable to get local issuer certificate/, - qr/failed certificate had subject '\/CN=Test CA for PostgreSQL SSL regression test client certs', serial number 2315134995201656577, purported issuer '\/CN=Test root CA for PostgreSQL SSL regression test suite'/, + qr/Failed certificate data \(unverified\): subject '\/CN=Test CA for PostgreSQL SSL regression test client certs', serial number 2315134995201656577, issuer '\/CN=Test root CA for PostgreSQL SSL regression test suite'/, ]); # test server-side CRL directory @@ -778,7 +778,7 @@ $node->connect_fails( expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, log_like => [ qr/client certificate verification failed at depth 0: certificate revoked/, - qr/failed certificate had subject '\/CN=ssltestuser', serial number 2315134995201656577, purported issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, + qr/Failed certificate data \(unverified\): subject '\/CN=ssltestuser', serial number 2315134995201656577, issuer '\/CN=Test CA for PostgreSQL SSL regression test client certs'/, ]); done_testing();