On 03.05.22 19:04, Jacob Champion wrote:
One question/concern -- the Subject that's printed to the logs could be pretty big (OpenSSL limits the incoming certificate chain to 100K, by default), which introduces an avenue for intentional log spamming. Is there an existing convention for limiting the length of log output used for debugging? Maybe I should just hardcode a smaller limit and truncate anything past that? Or we could just log the Common Name, which should be limited to 64 bytes...
The information in pg_stat_ssl is limited to NAMEDATALEN (see struct PgBackendSSLStatus).
It might make sense to align what your patch prints to identify certificates with what is shown in that view.
