Don't reflect unescaped cert data to the logs

Commit 3a0e385048 introduced a new path for unauthenticated bytes from
the client certificate to be printed unescaped to the logs. There are a
handful of these already, but it doesn't make sense to keep making the
problem worse. \x-escape any unprintable bytes.

The test case introduces a revoked UTF-8 certificate. This requires the
addition of the `-utf8` flag to `openssl req`. Since the existing
certificates all use an ASCII subset, this won't modify the existing
certificates' subjects if/when they get regenerated; this was verified
experimentally with

    $ make sslfiles-clean
    $ make sslfiles

Unfortunately the test can't be run in the CI yet due to a test timing
issue; see 55828a6b60.

Author: Jacob Champion <jchampion@timescale.com>
Discussion: https://www.postgresql.org/message-id/CAAWbhmgsvHrH9wLU2kYc3pOi1KSenHSLAHBbCVmmddW6-mc_=w@mail.gmail.com

src/backend/libpq/be-secure-openssl.c

@@ -27,12 +27,14 @@
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
 
+#include "common/string.h"
 #include "libpq/libpq.h"
 #include "miscadmin.h"
 #include "pgstat.h"
 #include "storage/fd.h"
 #include "storage/latch.h"
 #include "tcop/tcopprot.h"
+#include "utils/builtins.h"
 #include "utils/memutils.h"
 
 /*
@@ -1080,16 +1082,16 @@ dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
 }
 
 /*
- * Examines the provided certificate name, and if it's too long to log, modifies
+ * Examines the provided certificate name, and if it's too long to log or
- * and truncates it. The return value is NULL if no truncation was needed; it
+ * contains unprintable ASCII, escapes and truncates it. The return value is
- * otherwise points into the middle of the input string, and should not be
+ * always a new palloc'd string. (The input string is still modified in place,
- * freed.
+ * for ease of implementation.)
  */
 static char *
-truncate_cert_name(char *name)
+prepare_cert_name(char *name)
 {
 	size_t		namelen = strlen(name);
-	char	   *truncated;
+	char	   *truncated = name;
 
 	/*
 	 * Common Names are 64 chars max, so for a common case where the CN is the
@@ -1099,19 +1101,20 @@ truncate_cert_name(char *name)
 	 */
 #define MAXLEN 71
 
-	if (namelen <= MAXLEN)
+	if (namelen > MAXLEN)
-		return NULL;
+	{
-
+		/*
-	/*
+		 * Keep the end of the name, not the beginning, since the most specific
-	 * Keep the end of the name, not the beginning, since the most specific
+		 * field is likely to give users the most information.
-	 * field is likely to give users the most information.
+		 */
-	 */
+		truncated = name + namelen - MAXLEN;
-	truncated = name + namelen - MAXLEN;
+		truncated[0] = truncated[1] = truncated[2] = '.';
-	truncated[0] = truncated[1] = truncated[2] = '.';
+		namelen = MAXLEN;
+	}
 
 #undef MAXLEN
 
-	return truncated;
+	return pg_clean_ascii(truncated, 0);
 }
 
 /*
@@ -1154,21 +1157,24 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
 	{
 		char	   *subject,
 				   *issuer;
-		char	   *sub_truncated,
+		char	   *sub_prepared,
-				   *iss_truncated;
+				   *iss_prepared;
 		char	   *serialno;
 		ASN1_INTEGER *sn;
 		BIGNUM	   *b;
 
 		/*
 		 * Get the Subject and Issuer for logging, but don't let maliciously
-		 * huge certs flood the logs.
+		 * huge certs flood the logs, and don't reflect non-ASCII bytes into it
+		 * either.
 		 */
 		subject = X509_NAME_to_cstring(X509_get_subject_name(cert));
-		sub_truncated = truncate_cert_name(subject);
+		sub_prepared = prepare_cert_name(subject);
+		pfree(subject);
 
 		issuer = X509_NAME_to_cstring(X509_get_issuer_name(cert));
-		iss_truncated = truncate_cert_name(issuer);
+		iss_prepared = prepare_cert_name(issuer);
+		pfree(issuer);
 
 		/*
 		 * Pull the serial number, too, in case a Subject is still ambiguous.
@@ -1181,14 +1187,13 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
 		appendStringInfoChar(&str, '\n');
 		appendStringInfo(&str,
 						 _("Failed certificate data (unverified): subject \"%s\", serial number %s, issuer \"%s\"."),
-						 sub_truncated ? sub_truncated : subject,
+						 sub_prepared, serialno ? serialno : _("unknown"),
-						 serialno ? serialno : _("unknown"),
+						 iss_prepared);
-						 iss_truncated ? iss_truncated : issuer);
 
 		BN_free(b);
 		OPENSSL_free(serialno);
-		pfree(issuer);
+		pfree(iss_prepared);
-		pfree(subject);
+		pfree(sub_prepared);
 	}
 
 	/* Store our detail message to be logged later. */

src/test/ssl/conf/client-revoked-utf8.config

@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# The certificate contains a non-ASCII CN encoded in UTF-8. It is revoked by the
+# client CA.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = Οδυσσέας
+
+# no extensions in client certs

src/test/ssl/ssl/client-crldir/9bb9e3c3.r0

@@ -1,11 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
-MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
-MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
-GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
-Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
-AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
-w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
-tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
+/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
+OyPyZz4xy/EShWy+KUklfOoKRo8=
 -----END X509 CRL-----

src/test/ssl/ssl/client-revoked-utf8.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAcACCCAiBxgVKBUAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl
+c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
+Y2VydHMwHhcNMjIwNzE4MjIyODE1WhcNNDkxMjAzMjIyODE1WjAbMRkwFwYDVQQD
+DBDOn860z4XPg8+Dzq3Osc+CMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqRUMYw05cV5kzi
+YQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb7KbPvoZQdXuV
+8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2/SS/UonX5ar5
+58rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBPVRpX3w9TIpBL
+BZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyyjgrny2SrW0W4
+KlhU09y+m5gKL358z8tj599DowIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAE47ns
+wfceztieaRQtoF+gPcCuImOJqaB7jTE6cQ+aoW/q+sUlOh7AD0IZqhS4o0A4O+ny
+MD7kHkpYP+ctHNomsSQRkFTDZ2ZJGcRgxbwMOSvsKcgNOTMGqpXQiP0x0m7QMBGl
+EHeu5MqG/IK/ZlH9aOTvSnHegB6ztct/7wXMeFCflsWLp6wvnv9YpddaaXf95Oms
+9kwbVYkI1wxaBsAO8VGbJw1YtdErgd65qKTJa45xndtm61i1Jeig5asSNQPwjfZ5
+aNHZ9GsSwsc31Q/6iiezbPwgdAi3ih//uB2hznkMhObnqzR3n8Sw9zgL7DdFr2y9
+2R7kJuGq6DvlWFYS
+-----END CERTIFICATE-----

src/test/ssl/ssl/client-revoked-utf8.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvBiL1mVjTrzZ6sbrvfu746dzh+EEyuJNkCwPeJTtpva2wqqR
+UMYw05cV5kziYQ3UikMP5Yz0FXTeWoahSpJAWeR5XsFx3wOQvRzwi1KWm2CHr/rb
+7KbPvoZQdXuV8UeKrQ6PrEvjoarHAUZuWyUC6EnEAGuiKl5yuax5mkTcK5F8pig2
+/SS/UonX5ar558rOUEaIdyZmXtrO86cm5S5Oz3G2naQB3PPPOhtkoGBHikRHiqBP
+VRpX3w9TIpBLBZbT4MIZ+fCjZ9wXj4aiDUzPglu6/Tfx9sNcxc6Ilz/XHfPuBVyy
+jgrny2SrW0W4KlhU09y+m5gKL358z8tj599DowIDAQABAoIBAQCpdePmUInb0kDy
+SCzziOyJ+b8YWB4dOy1uCoQVuvcxSWz2jP1GrIgo2SGdzv7VOcSWnDyiLw9olVYO
+cOS3bnQTiMfgGqAgr/Gir4P3wXx2l80nOvcQimj32cJ7VdCNBEtoBopiTCzU5itM
+dsvNydaIuIyhZFdBnL33kfAskIVbqbgNyMCuDvhEMGFh7T193j3cKnvcfoHsSoNK
+65MT53764P404avgH9+C0W41GvXoMY5BUphUiCwi5TKIvalNP9Gu2LI3R4J3tAE1
+QSR/3Jtaunb5izCyi23MZC+mdz9EALeYRmLpXsspbHaPXDpUA67xifCKnX4JUPVf
+Op5XcXjhAoGBAN/Jt7TFPypRtbW200zx6F3RmToWRnvgn5vaNTmiy0ivcHJu4MLS
+o0yiV3VWksf1PCInK19C1yFo6H2lkhKhvipL62MoRkspOUJcMh42DPPf/RDMhYnF
+8MVQ1TlMdg/I4YXGzsrfl93eFERRjWiAt8b58D9OVpWcQNZMPmGztes3AoGBANcr
+n8ZmGZ5JDzbc+N9l1bGJuRT6PvH0rpoKjWOyaVMDedAUnCbfq01j42zXMfQLR1nE
+67Z6oWrBNNdEJFBhTzTZ+ZYXxpJP/FYJQ19dOCTKN1LQ79OAbSsU0NBLkss4a903
+9JQ+zhrEIEaXCTV9sEnp10KrEo6ctuaqMOkVCBj1AoGBAJy/Xb1wq12o/e3ZsQck
+Ke4M8ZaOI7CBFUrE/KLyNBElUU3V+/h6MYdr7nZxvT3xt7z0UpzW5HiyUqYvYrFK
+OTjHFIjPnOzoYwLoMPKYSVpIealal+54hryucatAszE7MzvQlOfk1SrCcs+nj7Sy
+9Aaa6nxtEpiYaZGwtcEZb0LhAoGAJYODjbGLUd9m+ae49CnrAdMDI7cldkW0k0K3
+t+QJHOIEQNT3DIf+c7Wwlu9F1EiLHgmJFv12WwhoUAefVSxCBPLj4tkuU6ACXHWs
++1ljSna/An9O8M75OYOdjFNAupGRrLXuvFHe2SfMgMIgZuUM8TYFw6fTym1kLf8K
+G/kAumkCgYBBD0TXDDAmVCYECSG1Uz35vm9GitbIe++o2ykO2sdB5mPRiMsfVJw4
+bVInkvV6Y2u4ltsNsS/0Y3A2xq/CnYhc7PeIIWFnfoyuHaIM4TIAflpM6qf4lOWE
+8Ot31P8Mt5U0cvCBuKpu0r9by66xX6yqKCqTPMSvbL7MCx5ukGYY7g==
+-----END RSA PRIVATE KEY-----

src/test/ssl/ssl/client.crl

@@ -1,11 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
-MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
-MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
-GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
-Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
-AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
-w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
-tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
+/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
+OyPyZz4xy/EShWy+KUklfOoKRo8=
 -----END X509 CRL-----

src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0

@@ -1,11 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
-MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
-MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
-GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
-Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
-AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
-w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
-tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
+/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
+OyPyZz4xy/EShWy+KUklfOoKRo8=
 -----END X509 CRL-----

src/test/ssl/ssl/root+client.crl

@@ -10,13 +10,14 @@ SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R
 +GrJP3XxJ1OC
 -----END X509 CRL-----
 -----BEGIN X509 CRL-----
-MIIBpTCBjjANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMTAz
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3
-MDMyMjEyMDdaFw00ODA3MTkyMjEyMDdaMBswGQIIICEDAxQSBwEXDTIxMDMwMzIy
+MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy
-MTIwN1owDQYJKoZIhvcNAQELBQADggEBAC1AJ+HhHg74uXNXdoXLnqDhowdx1y3z
+MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD
-GKSTPH4iW6jvGp7mMeJhq7cx5kzC+Rqtjui7FjkXbvGd4f6ZVKf30tDD/LvVLxLU
+ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a
-Up7TmwZjYHbB4NPMyMyqUxtusjYm6HFhbfJwf11TQFwF9yRN3MI4os3J9KTzvhY1
+SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7
-AvfyEqhBdeygkc1cDduZD+cx7QFYtaeD316q4lz8yfegtxwng8/JDlThu72zdpWV
+Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL
-w0LuzLei1A9cPXoXfMxRGVEOrDt5z3ArNqdD0bnXTTYqm1IX8ZRHDNeUi4NuFCCu
+rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn
-tKWT4j9ad4mMcJ6TY/8MiJ14mSJmWSR8115QT69rrQIdDu0sA/sBJX0=
+/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx
+OyPyZz4xy/EShWy+KUklfOoKRo8=
 -----END X509 CRL-----

src/test/ssl/sslfiles.mk

@@ -33,7 +33,8 @@ SERVERS := server-cn-and-alt-names \
 	server-multiple-alt-names \
 	server-no-names \
 	server-revoked
-CLIENTS := client client-dn client-revoked client_ext client-long
+CLIENTS := client client-dn client-revoked client_ext client-long \
+	client-revoked-utf8
 
 #
 # To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe
@@ -175,7 +176,7 @@ $(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_c
 # The CSRs don't need to persist after a build.
 .INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
 ssl/%.csr: ssl/%.key conf/%.config
-	openssl req -new -key $< -out $@ -config conf/$*.config
+	openssl req -new -utf8 -key $< -out $@ -config conf/$*.config
 
 #
 # CA State
@@ -215,8 +216,9 @@ ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_fil
 	openssl ca -config conf/cas.config -name server_ca -revoke $<
 	openssl ca -config conf/cas.config -name server_ca -gencrl -out $@
 
-ssl/client.crl: ssl/client-revoked.crt ssl/client_ca.crt | $(client_ca_state_files)
+ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
-	openssl ca -config conf/cas.config -name client_ca -revoke $<
+	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
+	openssl ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
 	openssl ca -config conf/cas.config -name client_ca -gencrl -out $@
 
 #

src/test/ssl/t/001_ssltests.pl

@@ -793,4 +793,17 @@ $node->connect_fails(
 #	]
 );
 
+# revoked client cert, non-ASCII subject
+$node->connect_fails(
+	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
+	  . sslkey('client-revoked-utf8.key'),
+	"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
+	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
+	# temporarily(?) skip this check due to timing issue
+#	log_like => [
+#		qr{Client certificate verification failed at depth 0: certificate revoked},
+#		qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
+#	]
+);
+
 done_testing();

src/test/ssl/t/SSL/Backend/OpenSSL.pm

@@ -88,7 +88,8 @@ sub init
 		"client.key",               "client-revoked.key",
 		"client-der.key",           "client-encrypted-pem.key",
 		"client-encrypted-der.key", "client-dn.key",
-		"client_ext.key",           "client-long.key");
+		"client_ext.key",           "client-long.key",
+		"client-revoked-utf8.key");
 	foreach my $keyfile (@keys)
 	{
 		copy("ssl/$keyfile", "$cert_tempdir/$keyfile")