On Wed, Aug 23, 2023 at 6:23 AM Daniel Gustafsson <dan...@yesql.se> wrote: > This has the smell of a theoretical problem, I can't really imagine a > certificate where which would produce this. Have you been able to trigger it? > > Wouldn't a better fix be to error out on len == -1 as in the attached, maybe > with a "Shouldn't happen" comment?
Using "cert clientname=DN" in the HBA should let you issue Subjects without Common Names. Or, if you're using a certificate to authorize the connection rather than authenticate the user (for example "scram-sha-256 clientcert=verify-ca" in your HBA), then the certs you distribute could even be SAN-only with a completely empty Subject. --Jacob
