Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jchampion@timescale.com>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-05T21:27:14Z
Lists: pgsql-hackers
> On 3 Apr 2023, at 23:09, Jacob Champion <jchampion@timescale.com> wrote:
> 
> On Mon, Apr 3, 2023 at 12:40 PM Daniel Gustafsson <daniel@yesql.se> wrote:
>> Doh, sorry, my bad.  I read and wrote 1.0.1 but was thinking about 1.0.2.  You
>> are right, in 1.0.1 that API does not exist.  I'm not all too concerned with
>> skipping this tests on OpenSSL versions that by the time 16 ships are 6 years
>> EOL - and I'm not convinced that spending meson/autoconf cycles to include them
>> is warranted.
> 
> Cool. v10 keys off of HAVE_SSL_CTX_SET_CERT_CB, instead.

I squashed and pushed v10 with a few small comment tweaks for typos and some
pgindenting. Thanks!

--
Daniel Gustafsson




Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification