Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Jelte Fennema-Nio <postgres@jeltef.nl>

From: Jelte Fennema <postgres@jeltef.nl>
To: Jacob Champion <jchampion@timescale.com>
Cc: Michael Paquier <michael@paquier.xyz>, thomas@habets.se, pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-11T14:37:17Z
Lists: pgsql-hackers
LGTM. As far as I can tell this is ready for a committer.

On Wed, 11 Jan 2023 at 00:15, Jacob Champion <jchampion@timescale.com> wrote:
>
> On Mon, Jan 9, 2023 at 7:07 AM Jelte Fennema <postgres@jeltef.nl> wrote:
> > I also took a closer look at the code, and the only comment I have is:
> >
> > > appendPQExpBuffer(&conn->errorMessage,
> >
> > These calls can all be replaced by the recently added libpq_append_conn_error
>
> Argh, thanks for the catch. Fixed.
>
> > Finally I tested this against a Postgres server I created on Azure and
> > the new value works as expected. The only thing that I think would be
> > good to change is the error message when sslmode=verify-full, and
> > sslrootcert is not provided, but ~/.postgresql/root.crt is also not available.
> > I think it would be good for the error to mention sslrootcert=system
>
> Good idea. The wording I chose in v6 is
>
>     Either provide the file, use the system's trusted roots with
> sslrootcert=system, or change sslmode to disable server certificate
> verification.
>
> What do you think?
>
> Thanks!
> --Jacob



Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification