Graham, will you be able to respond to my questions or provide an updated patch within the next week or so?
On 1/2/18 09:17, Peter Eisentraut wrote: > The server-side changes look pretty reasonable. > > On the client side, I'd like to see some comments explaining the > business around ssl_ex_data_index. > > We could probably do with some more tests. I can see the server-side > message printed once in the logs of the ssl tests, but there ought to be > some more cases. For the client side, we should think of a way to have > the tests expose this new functionality. > > Some of the new code in verify_cb() should perhaps be a bit more > defensive. I don't know all these APIs in detail, but it seems possible > that some calls will return NULL, which could lead to crashes later on. > > I'm also wondering whether it is always safe and sane to print subject > and issuer. I'd imagine a client could craft a silly certificate setup > on purpose and the server would just print whatever the client said into > the logs. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
