Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Jacob Champion <pchampion@vmware.com>, "cam@macaroon.net" <cam@macaroon.net>, "thomas@habets.se" <thomas@habets.se>, "stark@mit.edu" <stark@mit.edu>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-09-22T20:12:03Z
Lists: pgsql-hackers
> On 22 Sep 2021, at 20:59, Andrew Dunstan <andrew@dunslane.net> wrote:

> I think we need to be consistent on this. NSS builds and OpenSSL builds
> should act the same, mutatis mutandis.

I 100% agree.  Different TLS backends should be able use different truststores
etc but once the server is running they must be identical in terms of how they
interact with a connecting client.  I've tried hard to match our OpenSSL
implementation when hacking on the NSS support, but no doubt I've slipped up
somewhere so indepth reviews like what Jacob et.al have done is needed (and
very welcome).

--
Daniel Gustafsson		https://vmware.com/




Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification