Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Jacob Champion <jchampion@timescale.com>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael@paquier.xyz>,
thomas@habets.se,
Bruce Momjian <bruce@momjian.us>,
Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T20:29:45Z
Lists: pgsql-hackers
> On 12 Apr 2023, at 22:23, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Daniel Gustafsson <daniel@yesql.se> writes: >> We don't have great coverage of macOS in the buildfarm sadly, I wonder if can >> get sifaka to run the SSL tests if we ask nicely? > > I was just looking into that, but it seems like it'd be a mess. > > I have a modern openssl installation from MacPorts, but if > I try to select that I am going to end up compiling with > -I/opt/local/include -L/opt/local/lib, which exposes all of the > metric buttload of stuff that MacPorts tends to pull in. sifaka > is intended to test in a reasonably-default macOS environment, > and that would be far from it. That makes sense. > Plausible alternatives include: > > 1. Hand-built private copy of openssl. longfin is set up that way, > but I'm not really eager to duplicate that approach, especially if > we want to test cutting-edge openssl. > > 2. Run a second BF animal that's intentionally pointed at the MacPorts > environment, in hopes of testing what MacPorts users would see. > > #2 feels like it might not be a waste of cycles, and certainly that > machine is underworked at the moment. Thoughts? I think #2 would be a good addition. Most won't build OpenSSL themselves so seeing builds from envs that are reasonable to expect in the wild is more interesting. -- Daniel Gustafsson
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed