Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Jacob Champion <jchampion@timescale.com>
Cc: Jelte Fennema <postgres@jeltef.nl>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-11T21:58:47Z
Lists: pgsql-hackers
On Wed, Jan 11, 2023 at 8:06 PM Jacob Champion <jchampion@timescale.com>
wrote:

> On Wed, Jan 11, 2023 at 10:23 AM Magnus Hagander <magnus@hagander.net>
> wrote:
> > Sorry to jump in (very) late in this game. So first, I like this general
> approach :)
>
> Thanks!
>
> > It feels icky to have to add configure tests just to make a test work.
> But I guess there isn't really a way around that if we want to test the
> full thing.
>
> I agree...
>
> > However, shouldn't we be using X509_get_default_cert_file_env() to get
> the name of the env? Granted it's  unlikely to be anything else, but if
> it's an API you're supposed to use. (In an ideal world that function would
> not return anything in LibreSSL but I think it does include something, and
> then just ignores it?)
>
> I think you're right, but before I do that, is the cure better than
> the disease? It seems like that would further complicate a part of the
> Perl tests that is already unnecessarily complicated. (The Postgres
> code doesn't use the envvar at all.) Unless you already know of an
> OpenSSL-alike that doesn't use that same envvar name?
>

Fair point. No, I have not run into one, I just recalled having seen the
API :)

And you're right -- I didn't consider that we were looking at that one in
the *perl* code, not the C code. In the C code it would've been a trivial
replacement. In the perl, I agree it's not worth it -- at least not until
we run into a platform where it *would' matter.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification