Re: [HACKERS] Feature request: Logging SSL connections

Fri, 06 Dec 2013 02:49:13 -0800 

That seems useful.  Do we need more information, like whether a client
certificate was presented, or what ciphers were used?


Yes, please show ciphersuite and TLS version too.  Andreas, you can use my
recent \conninfo patch as template:

   
https://github.com/markokr/postgres/commit/7d1b27ac74643abd15007cc4ec0b56ba92b39d90

Also, please show the SSL level also for walsender connections.  It's
quite important to know whether they are using SSL or not.

But I think the 'bits' output is unnecessary, as it's cipher strength
is known by ciphersuite.  Perhaps it can be removed from \conninfo too.



A new patch is attached. I added the ciphersuite and TLS version like 
shown in your template (minus the 'bits' output). I also added the SSL 
information for walsender connections, but due to a missing test setup I 
cannot test that part.


Anything else missing?

--
Andreas

--- postinit.c.orig	2013-12-06 10:26:47.773341120 +0100
+++ postinit.c	2013-12-06 10:37:30.185894650 +0100
@@ -220,6 +220,26 @@
 
 	if (Log_connections)
 	{
+#ifdef USE_SSL
+		if (am_walsender)
+			if (port->ssl > 0)
+				ereport(LOG,
+						(errmsg("replication connection authorized: user=%s SSL(protocol: %s, cipher: %s)",
+								port->user_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl))));
+			else
+				ereport(LOG,
+						(errmsg("replication connection authorized: user=%s",
+								port->user_name)));
+		else
+			if (port->ssl > 0)
+				ereport(LOG,
+						(errmsg("connection authorized: user=%s database=%s SSL(protocol: %s, cipher: %s)",
+								port->user_name, port->database_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl))));
+			else
+				ereport(LOG,
+						(errmsg("connection authorized: user=%s database=%s",
+								port->user_name, port->database_name)));
+#else
 		if (am_walsender)
 			ereport(LOG,
 					(errmsg("replication connection authorized: user=%s",
@@ -228,6 +248,7 @@
 			ereport(LOG,
 					(errmsg("connection authorized: user=%s database=%s",
 							port->user_name, port->database_name)));
+#endif
 	}
 
 	set_ps_display("startup", false);

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers






















					Reply via email to