Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Jacob Champion <jchampion@timescale.com>, Daniel Gustafsson <daniel@yesql.se>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>, Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T21:23:11Z
Lists: pgsql-hackers
On 12.04.23 22:52, Jacob Champion wrote:
> It surprises me that you can get a successful test with a missing
> certs directory. If I remove the workaround in Cirrus, I get the
> following error, which looks the same to me:
> 
>      [20:40:00.253](0.000s) not ok 121 - sslrootcert=system does not
> connect with private CA: matches
>      [20:40:00.253](0.000s) #   Failed test 'sslrootcert=system does
> not connect with private CA: matches'
>      #   at /Users/admin/pgsql/src/test/ssl/t/001_ssltests.pl line 479.
>      [20:40:00.253](0.000s) #                   'psql: error:
> connection to server at "127.0.0.1", port 57681 failed: SSL SYSCALL
> error: Undefined error: 0'
>      #     doesn't match '(?^:SSL error: certificate verify failed)'
> 
> (That broken error message has changed since 3.0; now it's busted in a
> new way as of 3.1, I guess.)
> 
> Does the test start passing if you create an empty certs directory? It
> still wouldn't explain why Daniel's setup is succeeding...

After

mkdir /usr/local/etc/openssl@3/certs

the tests pass!




Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification