Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>,
thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-03T19:04:50Z
Lists: pgsql-hackers
On Sun, Apr 2, 2023 at 1:36 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> > On 31 Mar 2023, at 19:59, Jacob Champion <jchampion@timescale.com> wrote:
> > I can make that change; note that it'll also skip some of the new tests
> > with OpenSSL 1.0.1, where there's no SSL_CTX_set_cert_cb. If that's
> > acceptable, it should be an easy switch.
>
> I'm not sure I follow, AFAICT it's present all the way till 3.1 at least? What
> am I missing?
I don't see it anywhere in my 1.0.1 setup, and Meson doesn't define
HAVE_SSL_CTX_SET_CERT_CB when built against it.
> > Is there something we could document that's more helpful than "make sure
> > your installation isn't broken"?
>
> I wonder if there is an openssl command line example for verifying defaults
> that we can document and refer to?
We could maybe have them connect to a known host:
$ echo Q | openssl s_client -connect postgresql.org:443 -verify_return_error
Alternatively, OpenSSL will show you the OPENSSLDIR:
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
and then we could tell users to ensure they have a populated certs/
directory or a cert.pem file underneath it. That'll be prone to rot,
though (e.g. OpenSSL 3 introduces the default store in addition to the
default file+directory).
Thanks,
--Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed