Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Thomas Munro <thomas.munro@gmail.com>, Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Jacob Champion <jchampion@timescale.com>, "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-13T05:43:12Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
> On 12 Apr 2023, at 22:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Plausible alternatives include:
>> 2. Run a second BF animal that's intentionally pointed at the MacPorts
>> environment, in hopes of testing what MacPorts users would see.
>> 
>> #2 feels like it might not be a waste of cycles, and certainly that
>> machine is underworked at the moment.  Thoughts?

> I think #2 would be a good addition.  Most won't build OpenSSL themselves so
> seeing builds from envs that are reasonable to expect in the wild is more
> interesting.

I have an animal cranked up and awaiting approval; however, it fails
the src/test/ldap tests in v11, apparently because aa1419e63 was not
back-patched.  Barring objections, I'll back-patch that before
bringing the animal on-line (or Thomas can do it, if he wishes).

			regards, tom lane



Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification