Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Jacob Champion <jchampion@timescale.com>, "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-14T08:04:27Z
Lists: pgsql-hackers

Attachments

> On 14 Apr 2023, at 01:27, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>> Good points, it should of course be SOCK_ERRNO.  The attached saves off errno
>> and reinstates it to avoid clobbering.  Will test it on Windows in the morning
>> as well.
> 
> I think instead of this:
> 
> +                    SOCK_ERRNO_SET(save_errno);
> 
> you could just do this:
> 
>                         libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
> -                                           SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
> +                                           SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
> 
> Although ... we're already assuming that SSL_get_error and ERR_get_error
> don't clobber errno.  Maybe SSL_get_verify_result doesn't either.
> Or we could make it look like this:
> 
> +    SOCK_ERRNO_SET(0);
>     ERR_clear_error();
>     r = SSL_connect(conn->ssl);
>     if (r <= 0)
> +       int            save_errno = SOCK_ERRNO;
>        int            err = SSL_get_error(conn->ssl, r);
>        unsigned long ecode;
> 
>        ...
> 
> -                                           SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
> +                                           SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
> 
> to remove all doubt.

I mainly put save_errno back into SOCK_ERRNO for greppability, I don't have any
strong opinions either way so I went with the latter suggestion.  Attached v3
does the above change and passes the tests both with a broken and working
system CA pool.  Unless objections from those with failing local envs I propose
this is pushed to close the open item.

--
Daniel Gustafsson

Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification