Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jelte Fennema-Nio <postgres@jeltef.nl>
From: Jelte Fennema <postgres@jeltef.nl>
To: Jacob Champion <jchampion@timescale.com>
Cc: Michael Paquier <michael@paquier.xyz>, thomas@habets.se,
pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-11T14:37:17Z
Lists: pgsql-hackers
LGTM. As far as I can tell this is ready for a committer. On Wed, 11 Jan 2023 at 00:15, Jacob Champion <jchampion@timescale.com> wrote: > > On Mon, Jan 9, 2023 at 7:07 AM Jelte Fennema <postgres@jeltef.nl> wrote: > > I also took a closer look at the code, and the only comment I have is: > > > > > appendPQExpBuffer(&conn->errorMessage, > > > > These calls can all be replaced by the recently added libpq_append_conn_error > > Argh, thanks for the catch. Fixed. > > > Finally I tested this against a Postgres server I created on Azure and > > the new value works as expected. The only thing that I think would be > > good to change is the error message when sslmode=verify-full, and > > sslrootcert is not provided, but ~/.postgresql/root.crt is also not available. > > I think it would be good for the error to mention sslrootcert=system > > Good idea. The wording I chose in v6 is > > Either provide the file, use the system's trusted roots with > sslrootcert=system, or change sslmode to disable server certificate > verification. > > What do you think? > > Thanks! > --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed