Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: thomas@habets.se
Cc: pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2022-11-08T01:04:14Z
Lists: pgsql-hackers
Attachments
- since-v2.diff.txt (text/plain)
- v3-0001-libpq-add-sslrootcert-system-to-use-default-CAs.patch (text/x-patch) patch v3-0001
- v3-0002-libpq-force-sslmode-verify-full-for-system-CAs.patch (text/x-patch) patch v3-0002
On Thu, Nov 3, 2022 at 4:39 PM Jacob Champion <jchampion@timescale.com> wrote: > There is an additional test failure with LibreSSL, which doesn't appear > to honor the SSL_CERT_FILE environment variable. This isn't a problem in > production -- if you're using LibreSSL, you'd presumably understand that > you can't use that envvar -- but it makes testing difficult, because I > don't yet know a way to tell LibreSSL to use a different set of roots > for the duration of a test. Has anyone dealt with this before? Fixed in v3, with a large hammer (configure-time checks). Hopefully I've missed a simpler solution. > > If there are no valuable use cases for weaker checks, then we could go > > even further than my 0002 and just reject any weaker sslmodes > > outright. That'd be nice. Done. sslrootcert=system now prevents you from explicitly setting a weaker sslmode, to try to cement it as a Do What I Mean sort of feature. If you need something weird then you can still jump through the hoops by setting sslrootcert to a real file, same as today. The macOS/OpenSSL 3.0.0 failure is still unfixed. Thanks, --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed