Re: [PATCH] Log details for client certificate failures

On 04.05.22 01:05, Jacob Champion wrote:
> On Tue, 2022-05-03 at 21:06 +0200, Peter Eisentraut wrote:
>> The information in pg_stat_ssl is limited to NAMEDATALEN (see struct
>> PgBackendSSLStatus).
>>
>> It might make sense to align what your patch prints to identify
>> certificates with what is shown in that view.
> 
> Sure, a max length should be easy enough to do. Is there a reason to
> limit to NAMEDATALEN specifically? I was under the impression that we
> would rather not have had that limitation in the stats framework, if we
> could have avoided it. (In particular I think NAMEDATALEN will cut off
> the longest possible Common Name by just five bytes.)

Just saying that cutting it off appears to be acceptable.  A bit more 
than 63 bytes should be okay for the log.

In terms of aligning what is printed, I meant that pg_stat_ssl uses the 
issuer plus serial number to identify the certificate unambiguously.