Re: [HACKERS] [Patch] Log SSL certificate verification errors

On 11/11/17 05:50, Graham Leggett wrote:
> On 11 Nov 2017, at 6:23 AM, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> wrote:
>
>>> Currently neither the server side nor the client side SSL certificate verify callback does anything, leading to potential hair-tearing-out moments.
>>>
>>> The following patch to master implements logging of all certificate verification failures, as well as (crucially) which certificates failed to verify, and at what depth, so the admin can zoom in straight onto the problem without any guessing.
>>
>> Could you attach as a file to this thread a patch that can be easily
>> applied? Using git --format-patch or simply diff is just fine.
>
> I’ve attached it as a separate attachment.

The server-side changes look pretty reasonable.

On the client side, I'd like to see some comments explaining the
business around ssl_ex_data_index.

We could probably do with some more tests. I can see the server-side
message printed once in the logs of the ssl tests, but there ought to be
some more cases. For the client side, we should think of a way to have
the tests expose this new functionality.

Some of the new code in verify_cb() should perhaps be a bit more
defensive. I don't know all these APIs in detail, but it seems possible
that some calls will return NULL, which could lead to crashes later on.

I'm also wondering whether it is always safe and sane to print subject
and issuer. I'd imagine a client could craft a silly certificate setup
on purpose and the server would just print whatever the client said into
the logs.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services