Re: [HACKERS] [Patch] Log SSL certificate verification errors

[Laurenz Albe]

Graham Leggett wrote:
> Currently neither the server side nor the client side SSL certificate verify
> callback does anything, leading to potential hair-tearing-out moments.
>
> The following patch to master implements logging of all certificate
> verification failures, as well as (crucially) which certificates failed to 
> verify,
> and at what depth, so the admin can zoom in straight onto the problem without 
> any guessing.

+1 for the idea.

I have been in this situation before, and any information that helps to
clarify what the problem is would be a great help.

Yours,
Laurenz Albe


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [Patch] Log SSL certificate verification errors

[Graham Leggett]

On 11 Nov 2017, at 6:23 AM, Michael Paquier  wrote:

>> Currently neither the server side nor the client side SSL certificate verify 
>> callback does anything, leading to potential hair-tearing-out moments.
>> 
>> The following patch to master implements logging of all certificate 
>> verification failures, as well as (crucially) which certificates failed to 
>> verify, and at what depth, so the admin can zoom in straight onto the 
>> problem without any guessing.
> 
> Could you attach as a file to this thread a patch that can be easily
> applied? Using git --format-patch or simply diff is just fine.

I’ve attached it as a separate attachment.

The default behaviour of patch is to ignore all lines before and after the 
patch, so you can use my entire email as an input to patch and it will work 
(This is what git format-patch does, create something that looks like an email).

> Here are also some community guidelines on the matter:
> https://wiki.postgresql.org/wiki/Submitting_a_Patch
> 
> And if you are looking for feedback, you should register it to the
> next commit fest:
> https://commitfest.postgresql.org/16/

I shall do!

Regards,
Graham
—


postgresql-log-cert-verification.diff
Description: Binary data


smime.p7s
Description: S/MIME cryptographic signature

Re: [HACKERS] [Patch] Log SSL certificate verification errors

[Michael Paquier]

On Sat, Nov 11, 2017 at 3:34 AM, Graham Leggett  wrote:
> Currently neither the server side nor the client side SSL certificate verify 
> callback does anything, leading to potential hair-tearing-out moments.
>
> The following patch to master implements logging of all certificate 
> verification failures, as well as (crucially) which certificates failed to 
> verify, and at what depth, so the admin can zoom in straight onto the problem 
> without any guessing.

Could you attach as a file to this thread a patch that can be easily
applied? Using git --format-patch or simply diff is just fine.

Here are also some community guidelines on the matter:
https://wiki.postgresql.org/wiki/Submitting_a_Patch

And if you are looking for feedback, you should register it to the
next commit fest:
https://commitfest.postgresql.org/16/
-- 
Michael


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers