Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, "Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>,
thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T16:54:20Z
Lists: pgsql-hackers
On Wed, Apr 12, 2023 at 2:24 AM Daniel Gustafsson <daniel@yesql.se> wrote: > > On 12 Apr 2023, at 09:11, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > # Failed test 'sslrootcert=system does not connect with private CA: matches' > > # at t/001_ssltests.pl line 479. > > # 'psql: error: connection to server at "127.0.0.1", port 53971 failed: SSL SYSCALL error: Undefined error: 0' > > # doesn't match '(?^:SSL error: certificate verify failed)' > > > > This is with OpenSSL 3.1.0 from macOS/Homebrew. > > > > If I instead use OpenSSL 1.1.1t, then the tests pass. > > I am unable to reproduce this (or any failure) with OpenSSL 3.1 built from > source (or 3.0 or 3.1.1-dev) or installed via homebrew (on macOS 12 with Intel > CPU). Do you have any more clues from logs what might've happened? This looks similar (but not identical) to the brew bug we're working around for Cirrus, in which `brew cleanup` breaks the OpenSSL installation and turns certificate verification failures into bizarrely unhelpful messages. Peter, you should have a .../etc/openssl@3/certs directory somewhere in your Homebrew installation prefix -- do you, or has Homebrew removed it by mistake? --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed