Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>, Peter Eisentraut <peter.eisentraut@enterprisedb.com>, Jacob Champion <jchampion@timescale.com>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-13T22:26:19Z
Lists: pgsql-hackers

Attachments

> On 13 Apr 2023, at 18:42, Daniel Gustafsson <daniel@yesql.se> wrote:

> Regarding the thread; I hope to have a suggestion for a way forward regarding
> the open issue later tonight.

After reading OpenSSL code and documentation, I think the simplest solution is
to explicitly check for X509 errors when OpenSSL reports SSL_ERROR_SYSCALL.
It's not documented why this particular errorcode is used, but AFAICT it's
because while it is a cert verification failure, the cause of it is an IO error
in reading a non-existing file or directory.

The attached diff passes the tests on OpenSSL 1.0.1 through 3.1 as well as on
LibreSSL. Thoughts?

--
Daniel Gustafsson

Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification