Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: Jacob Champion <jchampion@timescale.com>,
Daniel Gustafsson <daniel@yesql.se>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael@paquier.xyz>, thomas@habets.se,
Bruce Momjian <bruce@momjian.us>,
Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T21:40:18Z
Lists: pgsql-hackers
Peter Eisentraut <peter.eisentraut@enterprisedb.com> writes: > On 12.04.23 22:52, Jacob Champion wrote: >> Does the test start passing if you create an empty certs directory? It >> still wouldn't explain why Daniel's setup is succeeding... > After > mkdir /usr/local/etc/openssl@3/certs > the tests pass! Likewise, though MacPorts unsurprisingly uses a different place: $ openssl info -configdir /opt/local/libexec/openssl3/etc/openssl $ sudo mkdir /opt/local/libexec/openssl3/etc/openssl/certs $ make check PG_TEST_EXTRA=ssl ... success! So this smells to me like a new OpenSSL bug: they should tolerate a missing certs dir like they used to. Who wants to file it? regards, tom lane
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed