Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Peter Eisentraut <peter.eisentraut@enterprisedb.com>
From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Jacob Champion <jchampion@timescale.com>,
Daniel Gustafsson <daniel@yesql.se>
Cc: "Gregory Stark (as CFM)" <stark.cfm@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus@hagander.net>, Michael Paquier
<michael@paquier.xyz>, thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>,
Bruce Momjian <bruce@momjian.us>, Andrew Dunstan <andrew@dunslane.net>,
Jelte Fennema <postgres@jeltef.nl>
Date: 2023-04-12T21:23:11Z
Lists: pgsql-hackers
On 12.04.23 22:52, Jacob Champion wrote: > It surprises me that you can get a successful test with a missing > certs directory. If I remove the workaround in Cirrus, I get the > following error, which looks the same to me: > > [20:40:00.253](0.000s) not ok 121 - sslrootcert=system does not > connect with private CA: matches > [20:40:00.253](0.000s) # Failed test 'sslrootcert=system does > not connect with private CA: matches' > # at /Users/admin/pgsql/src/test/ssl/t/001_ssltests.pl line 479. > [20:40:00.253](0.000s) # 'psql: error: > connection to server at "127.0.0.1", port 57681 failed: SSL SYSCALL > error: Undefined error: 0' > # doesn't match '(?^:SSL error: certificate verify failed)' > > (That broken error message has changed since 3.0; now it's busted in a > new way as of 3.1, I guess.) > > Does the test start passing if you create an empty certs directory? It > still wouldn't explain why Daniel's setup is succeeding... After mkdir /usr/local/etc/openssl@3/certs the tests pass!
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed