Don't reflect unescaped cert data to the logs Commit 3a0e385048 introduced a new path for unauthenticated bytes from the client certificate to be printed unescaped to the logs. There are a handful of these already, but it doesn't make sense to keep making the problem worse. \x-escape any unprintable bytes.
The test case introduces a revoked UTF-8 certificate. This requires the addition of the `-utf8` flag to `openssl req`. Since the existing certificates all use an ASCII subset, this won't modify the existing certificates' subjects if/when they get regenerated; this was verified experimentally with $ make sslfiles-clean $ make sslfiles Unfortunately the test can't be run in the CI yet due to a test timing issue; see 55828a6b60. Author: Jacob Champion <jchamp...@timescale.com> Discussion: https://www.postgresql.org/message-id/CAAWbhmgsvHrH9wLU2kYc3pOi1KSenHSLAHBbCVmmddW6-mc_=w...@mail.gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/257eb57b50f7c65467bfc2f4d579622fa13f3370 Modified Files -------------- src/backend/libpq/be-secure-openssl.c | 57 ++++++++++++++----------- src/test/ssl/conf/client-revoked-utf8.config | 13 ++++++ src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 19 +++++---- src/test/ssl/ssl/client-revoked-utf8.crt | 18 ++++++++ src/test/ssl/ssl/client-revoked-utf8.key | 27 ++++++++++++ src/test/ssl/ssl/client.crl | 19 +++++---- src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 19 +++++---- src/test/ssl/ssl/root+client.crl | 19 +++++---- src/test/ssl/sslfiles.mk | 10 +++-- src/test/ssl/t/001_ssltests.pl | 13 ++++++ src/test/ssl/t/SSL/Backend/OpenSSL.pm | 3 +- 11 files changed, 150 insertions(+), 67 deletions(-)