Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>,
thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-03T21:09:57Z
Lists: pgsql-hackers
Attachments
- since-v9.diff.txt (text/plain)
- v10-0002-libpq-force-sslmode-verify-full-for-system-CAs.patch (text/x-patch) patch v10-0002
- v10-0001-libpq-add-sslrootcert-system-to-use-default-CAs.patch (text/x-patch) patch v10-0001
On Mon, Apr 3, 2023 at 12:40 PM Daniel Gustafsson <daniel@yesql.se> wrote: > Doh, sorry, my bad. I read and wrote 1.0.1 but was thinking about 1.0.2. You > are right, in 1.0.1 that API does not exist. I'm not all too concerned with > skipping this tests on OpenSSL versions that by the time 16 ships are 6 years > EOL - and I'm not convinced that spending meson/autoconf cycles to include them > is warranted. Cool. v10 keys off of HAVE_SSL_CTX_SET_CERT_CB, instead. > > We could maybe have them connect to a known host: > > > > $ echo Q | openssl s_client -connect postgresql.org:443 -verify_return_error > > Something along these lines is probably best, if we do it at all. Needs > sleeping on. Sounds good. Thanks! --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed