Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Jacob Champion <jchampion@timescale.com>

From: Jacob Champion <jchampion@timescale.com>
To: thomas@habets.se
Cc: pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2022-11-01T17:55:49Z
Lists: pgsql-hackers
On Tue, Nov 1, 2022 at 10:03 AM Jacob Champion <jchampion@timescale.com> wrote:
> I'm not familiar with "unregistered scheme" in this context and will
> need to dig in.

Unfortunately I can't reproduce with 3.0.0 on Ubuntu :(

I'm suspicious that it may be related to [1], in which case the
problem might be fixed by upgrading to the latest OpenSSL. But that's
just a guess.

--Jacob

[1] https://github.com/openssl/openssl/issues/18691



Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification