libpq_system_ca_fix_v3.diff
application/octet-stream
Filename: libpq_system_ca_fix_v3.diff
Type: application/octet-stream
Part: 0
Patch
Format: unified
Series: patch v3
| File | + | − |
|---|---|---|
| src/interfaces/libpq/fe-secure-openssl.c | 17 | 3 |
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 00b203cbfa..a2cc612f4b 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1489,10 +1489,12 @@ open_client_SSL(PGconn *conn)
{
int r;
+ SOCK_ERRNO_SET(0);
ERR_clear_error();
r = SSL_connect(conn->ssl);
if (r <= 0)
{
+ int save_errno = SOCK_ERRNO;
int err = SSL_get_error(conn->ssl, r);
unsigned long ecode;
@@ -1508,10 +1510,22 @@ open_client_SSL(PGconn *conn)
case SSL_ERROR_SYSCALL:
{
char sebuf[PG_STRERROR_R_BUFLEN];
-
- if (r == -1)
+ unsigned long vcode;
+
+ vcode = SSL_get_verify_result(conn->ssl);
+
+ /*
+ * If we get an X509 error here without an error in the
+ * socket layer it means that verification failed without
+ * it being a protocol error. A common cause is trying to
+ * a default system CA which is missing or broken.
+ */
+ if (!save_errno && vcode != X509_V_OK)
+ libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
+ X509_verify_cert_error_string(ecode));
+ else if (r == -1)
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
- SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
+ SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
else
libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
pgtls_close(conn);