Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Magnus Hagander <magnus@hagander.net>
Cc: Jelte Fennema <postgres@jeltef.nl>, Michael Paquier <michael@paquier.xyz>,
thomas@habets.se, pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-11T19:06:45Z
Lists: pgsql-hackers
On Wed, Jan 11, 2023 at 10:23 AM Magnus Hagander <magnus@hagander.net> wrote: > Sorry to jump in (very) late in this game. So first, I like this general approach :) Thanks! > It feels icky to have to add configure tests just to make a test work. But I guess there isn't really a way around that if we want to test the full thing. I agree... > However, shouldn't we be using X509_get_default_cert_file_env() to get the name of the env? Granted it's unlikely to be anything else, but if it's an API you're supposed to use. (In an ideal world that function would not return anything in LibreSSL but I think it does include something, and then just ignores it?) I think you're right, but before I do that, is the cure better than the disease? It seems like that would further complicate a part of the Perl tests that is already unnecessarily complicated. (The Postgres code doesn't use the envvar at all.) Unless you already know of an OpenSSL-alike that doesn't use that same envvar name? --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed