Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Jacob Champion <pchampion@vmware.com>,
"cam@macaroon.net" <cam@macaroon.net>,
"thomas@habets.se" <thomas@habets.se>,
"stark@mit.edu" <stark@mit.edu>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
"tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-09-22T20:12:03Z
Lists: pgsql-hackers
> On 22 Sep 2021, at 20:59, Andrew Dunstan <andrew@dunslane.net> wrote: > I think we need to be consistent on this. NSS builds and OpenSSL builds > should act the same, mutatis mutandis. I 100% agree. Different TLS backends should be able use different truststores etc but once the server is running they must be identical in terms of how they interact with a connecting client. I've tried hard to match our OpenSSL implementation when hacking on the NSS support, but no doubt I've slipped up somewhere so indepth reviews like what Jacob et.al have done is needed (and very welcome). -- Daniel Gustafsson https://vmware.com/
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed