Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Jacob Champion <jchampion@timescale.com>
Cc: Jelte Fennema <postgres@jeltef.nl>, Michael Paquier <michael@paquier.xyz>,
thomas@habets.se, pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-11T21:58:47Z
Lists: pgsql-hackers
On Wed, Jan 11, 2023 at 8:06 PM Jacob Champion <jchampion@timescale.com> wrote: > On Wed, Jan 11, 2023 at 10:23 AM Magnus Hagander <magnus@hagander.net> > wrote: > > Sorry to jump in (very) late in this game. So first, I like this general > approach :) > > Thanks! > > > It feels icky to have to add configure tests just to make a test work. > But I guess there isn't really a way around that if we want to test the > full thing. > > I agree... > > > However, shouldn't we be using X509_get_default_cert_file_env() to get > the name of the env? Granted it's unlikely to be anything else, but if > it's an API you're supposed to use. (In an ideal world that function would > not return anything in LibreSSL but I think it does include something, and > then just ignores it?) > > I think you're right, but before I do that, is the cure better than > the disease? It seems like that would further complicate a part of the > Perl tests that is already unnecessarily complicated. (The Postgres > code doesn't use the envvar at all.) Unless you already know of an > OpenSSL-alike that doesn't use that same envvar name? > Fair point. No, I have not run into one, I just recalled having seen the API :) And you're right -- I didn't consider that we were looking at that one in the *perl* code, not the C code. In the C code it would've been a trivial replacement. In the perl, I agree it's not worth it -- at least not until we run into a platform where it *would' matter. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed