Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Jacob Champion <jchampion@timescale.com>, "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-13T22:52:20Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
> The attached diff passes the tests on OpenSSL 1.0.1 through 3.1 as well as on
> LibreSSL. Thoughts?

1. You can't assume that errno starts out zero, unless you zero it
right before SSL_connect.

2. I wonder whether it's safe to assume that errno (a/k/a SOCK_ERRNO)
can't be clobbered by SSL_get_verify_result.

3. It seems weird to refer to errno directly just a couple lines away
from where we refer to it via SOCK_ERRNO.  Will this even compile
on Windows?

			regards, tom lane



Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification