Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Jacob Champion <jchampion@timescale.com>,
"Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>,
Michael Paquier <michael@paquier.xyz>,
thomas@habets.se,
Bruce Momjian <bruce@momjian.us>,
Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-14T14:20:57Z
Lists: pgsql-hackers
Attachments
- libpq_system_ca_fix_v4.diff (application/octet-stream) patch v4
> On 14 Apr 2023, at 16:20, Daniel Gustafsson <daniel@yesql.se> wrote: > >> On 14 Apr 2023, at 15:51, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> >> Daniel Gustafsson <daniel@yesql.se> writes: >>> I mainly put save_errno back into SOCK_ERRNO for greppability, I don't have any >>> strong opinions either way so I went with the latter suggestion. Attached v3 >>> does the above change and passes the tests both with a broken and working >>> system CA pool. Unless objections from those with failing local envs I propose >>> this is pushed to close the open item. >> >> One more question when looking at it with fresh eyes: should the argument >> of X509_verify_cert_error_string be "ecode" or "vcode"? > > Good catch, it should be vcode. And again with the attachment. -- Daniel Gustafsson
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed