Participants
Durumdara
Durumdara
Christoph Moench-Tegeder
Christoph Moench-Tegeder
Attachments
Show all attachments
Thread Outline
#1DurumdaraDurumdara
Jun 25, 2020
#2Christoph Moench-TegederChristoph Moench-Tegederto Durumdara (#1)
Jun 25, 2020

Log the incoming old SSL certs by pid or any way

Started by Durumdaraalmost 6 years ago2 messagesgeneral
Jump to latest
#1Durumdara
Durumdara
durumdara@gmail.com

Hello!

PGSQL 9.6, Linux, SSL.
We want to change certs to new, but somehow we need to detect which old
cert is in use before the expiration.
So now they could connect with old and new too. We want to warn the clients
with old certs to update, before they will be denied.

Do we have chance to log somewhere the connected client's certificate, or
some info about it?

As I know the CRL can block unwanted certs - they will be denied.

Is there any, similar list where we can registrate the cert and when it
used we can log it?

Do you know about any mechanism for this? I hope you understand what we
need.

Thank you for it!
dd

#2Christoph Moench-Tegeder
Christoph Moench-Tegeder
cmt@burggraben.net
In reply to: Durumdara (#1)
Re: Log the incoming old SSL certs by pid or any way

## Durumdara (durumdara@gmail.com):

Do we have chance to log somewhere the connected client's certificate, or
some info about it?

There's pg_stat_ssl, and if you had an recent version of PostgreSQL
(9.6 is too old for that), you'd even have the serial number of
the certificate in there:
https://www.postgresql.org/docs/12/monitoring-stats.html#PG-STAT-SSL-VIEW

On the other hand, you could check the certificates directly,
e.g. https://github.com/matteocorti/check_ssl_cert or even
just some scripting around openssl. (That assumes that you know
where those client certificates are).

Regards,
Christoph

--
Spare Space

← Back to Topics