| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Joel Jacobson <joel(at)compiler(dot)org>, Jacob Champion <pchampion(at)vmware(dot)com>, "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2021-03-29 01:57:00 |
| Message-ID: | YGEz7N2dOh2Fjwun@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Mar 26, 2021 at 09:34:03AM -0400, Andrew Dunstan wrote:
> OK, here's a new patch. I hope to commit this within a few days.
Thanks!
+ switch (port->hba->clientcertname)
+ {
+ case clientCertDN:
+ peer_username = port->peer_dn;
+ break;
+ default:
+ peer_username = port->peer_cn;
+ }
This does not need a "default". I think that you should use "case
clientCertCN" instead here.
+ BIO_get_mem_ptr(bio, &bio_buf);
No status checks? OpenSSL calls return 1 on success and 0 on failure,
so I would check after <= 0 here.
++ if (port->hba->clientcertname == clientCertDN)
++ {
++ ereport(LOG,
May be better to use a switch() here as well.
It looks like this patch misses src/test/ssl/ssl/client-dn.crt,
causing the SSL tests to fail.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2021-03-29 02:04:24 | Re: multi-install PostgresNode |
| Previous Message | Kyotaro Horiguchi | 2021-03-29 01:54:41 | Re: Bug on update timing of walrcv->flushedUpto variable |