Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: Jacob Champion <jchampion@timescale.com>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael@paquier.xyz>,
thomas@habets.se,
Tom Lane <tgl@sss.pgh.pa.us>,
Bruce Momjian <bruce@momjian.us>,
Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T19:57:27Z
Lists: pgsql-hackers
> On 12 Apr 2023, at 21:43, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > On 12.04.23 18:54, Jacob Champion wrote: >> Peter, you should have a .../etc/openssl@3/certs directory somewhere >> in your Homebrew installation prefix -- do you, or has Homebrew >> removed it by mistake? > > I don't have that, but I don't have it for openssl@1.1 either. The important bit is that your OPENSSLDIR points to a directory which has the content OpenSSL needs. > I have > > ~$ ll /usr/local/etc/openssl@3 > total 76 > drwxr-xr-x 7 peter admin 224 2023-03-08 08:49 misc/ > lrwxr-xr-x 1 peter admin 27 2023-03-21 13:41 cert.pem -> ../ca-certificates/cert.pem > -rw-r--r-- 1 peter admin 412 2023-03-21 13:41 ct_log_list.cnf > -rw-r--r-- 1 peter admin 412 2023-03-21 13:41 ct_log_list.cnf.dist > -rw-r--r-- 1 peter admin 351 2023-03-08 08:57 fipsmodule.cnf > -rw-r--r-- 1 peter admin 12386 2023-03-13 10:49 openssl.cnf > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.default > -rw-r--r-- 1 peter admin 12292 2023-03-08 08:49 openssl.cnf.dist > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.dist.default Assuming that's your OPENSSLDIR, then that looks like it should (it's precisely what I have). Just to further rule out any issues in the installation, If you run the command from upthread, does that properly verify postgresql.org? echo Q | <path to>openssl@3/bin/openssl s_client -connect postgresql.org:443 -verify_return_error Is the failure repeatable enough that you might be able to tease something out of the log? I've been trying again today but been unable to reproduce this =( We don't have great coverage of macOS in the buildfarm sadly, I wonder if can get sifaka to run the SSL tests if we ask nicely? -- Daniel Gustafsson
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed