> On 23 Aug 2023, at 23:47, Jacob Champion <jchampion@timescale.com> wrote:
>
> On Wed, Aug 23, 2023 at 6:23 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>> This has the smell of a theoretical problem, I can't really imagine a
>> certificate where which would produce this. Have you been able to trigger it?
>>
>> Wouldn't a better fix be to error out on len == -1 as in the attached, maybe
>> with a "Shouldn't happen" comment?
>
> Using "cert clientname=DN" in the HBA should let you issue Subjects
> without Common Names. Or, if you're using a certificate to authorize
> the connection rather than authenticate the user (for example
> "scram-sha-256 clientcert=verify-ca" in your HBA), then the certs you
> distribute could even be SAN-only with a completely empty Subject.
That's a good point, didn't think about those. In those cases the original
patch by Sergey seems along the right lines.
--
Daniel Gustafsson