Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Jacob Champion <jchampion@timescale.com>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael@paquier.xyz>, thomas@habets.se,
Bruce Momjian <bruce@momjian.us>,
Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-13T23:27:45Z
Lists: pgsql-hackers
Daniel Gustafsson <daniel@yesql.se> writes:
> Good points, it should of course be SOCK_ERRNO. The attached saves off errno
> and reinstates it to avoid clobbering. Will test it on Windows in the morning
> as well.
I think instead of this:
+ SOCK_ERRNO_SET(save_errno);
you could just do this:
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
- SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
+ SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
Although ... we're already assuming that SSL_get_error and ERR_get_error
don't clobber errno. Maybe SSL_get_verify_result doesn't either.
Or we could make it look like this:
+ SOCK_ERRNO_SET(0);
ERR_clear_error();
r = SSL_connect(conn->ssl);
if (r <= 0)
+ int save_errno = SOCK_ERRNO;
int err = SSL_get_error(conn->ssl, r);
unsigned long ecode;
...
- SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
+ SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
to remove all doubt.
regards, tom lane
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed