Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Greg Stark <stark@mit.edu>
From: Greg Stark <stark@mit.edu>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Jacob Champion <jchampion@timescale.com>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se,
Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-13T01:34:09Z
Lists: pgsql-hackers
On Wed, Apr 12, 2023, 19:30 Daniel Gustafsson <daniel@yesql.se> wrote: > > The issue we have is that we cannot get PGconn in > verify_cb so logging an error is tricky. Hm, the man page talks about a "ex_data mechanism" which seems to be referring to this Rube Goldberg device https://www.openssl.org/docs/man3.1/man3/SSL_get_ex_data.html It looks like X509_STORE_CTX_set_app_data() and X509_STORE_CTX_get_app_data() would be convenience macros to do this.
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed