Re: [HACKERS] [Patch] Log SSL certificate verification errors
On Tue, Mar 06, 2018 at 02:56:41PM -0500, Peter Eisentraut wrote: > But this patch was quite useful while debugging some of the other > ongoing SSL work. So if it were revived at some point in the future, it > would be welcome. +1! -- Michael signature.asc Description: PGP signature
Re: [HACKERS] [Patch] Log SSL certificate verification errors
On 3/1/18 20:48, Andres Freund wrote: > On 2018-01-17 09:03:51 -0500, Peter Eisentraut wrote: >> Graham, will you be able to respond to my questions or provide an >> updated patch within the next week or so? > > Given that nothing has happend since, I've marked this as returned with > feedback. Agreed. But this patch was quite useful while debugging some of the other ongoing SSL work. So if it were revived at some point in the future, it would be welcome. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: [HACKERS] [Patch] Log SSL certificate verification errors
On 2018-01-17 09:03:51 -0500, Peter Eisentraut wrote: > Graham, will you be able to respond to my questions or provide an > updated patch within the next week or so? Given that nothing has happend since, I've marked this as returned with feedback. Greetings, Andres Freund
Re: [HACKERS] [Patch] Log SSL certificate verification errors
Graham, will you be able to respond to my questions or provide an updated patch within the next week or so? On 1/2/18 09:17, Peter Eisentraut wrote: > The server-side changes look pretty reasonable. > > On the client side, I'd like to see some comments explaining the > business around ssl_ex_data_index. > > We could probably do with some more tests. I can see the server-side > message printed once in the logs of the ssl tests, but there ought to be > some more cases. For the client side, we should think of a way to have > the tests expose this new functionality. > > Some of the new code in verify_cb() should perhaps be a bit more > defensive. I don't know all these APIs in detail, but it seems possible > that some calls will return NULL, which could lead to crashes later on. > > I'm also wondering whether it is always safe and sane to print subject > and issuer. I'd imagine a client could craft a silly certificate setup > on purpose and the server would just print whatever the client said into > the logs. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: [HACKERS] [Patch] Log SSL certificate verification errors
On 11/11/17 05:50, Graham Leggett wrote: > On 11 Nov 2017, at 6:23 AM, Michael Paquier wrote: > >>> Currently neither the server side nor the client side SSL certificate >>> verify callback does anything, leading to potential hair-tearing-out >>> moments. >>> >>> The following patch to master implements logging of all certificate >>> verification failures, as well as (crucially) which certificates failed to >>> verify, and at what depth, so the admin can zoom in straight onto the >>> problem without any guessing. >> >> Could you attach as a file to this thread a patch that can be easily >> applied? Using git --format-patch or simply diff is just fine. > > I’ve attached it as a separate attachment. The server-side changes look pretty reasonable. On the client side, I'd like to see some comments explaining the business around ssl_ex_data_index. We could probably do with some more tests. I can see the server-side message printed once in the logs of the ssl tests, but there ought to be some more cases. For the client side, we should think of a way to have the tests expose this new functionality. Some of the new code in verify_cb() should perhaps be a bit more defensive. I don't know all these APIs in detail, but it seems possible that some calls will return NULL, which could lead to crashes later on. I'm also wondering whether it is always safe and sane to print subject and issuer. I'd imagine a client could craft a silly certificate setup on purpose and the server would just print whatever the client said into the logs. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
