Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	April 13, 2023 00:40:18
Msg-id	1185564.1681335618@sss.pgh.pa.us Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Daniel Gustafsson <daniel@yesql.se>)
List	pgsql-hackers

Tree view

Peter Eisentraut <peter.eisentraut@enterprisedb.com> writes:
> On 12.04.23 22:52, Jacob Champion wrote:
>> Does the test start passing if you create an empty certs directory? It
>> still wouldn't explain why Daniel's setup is succeeding...

> After
> mkdir /usr/local/etc/openssl@3/certs
> the tests pass!

Likewise, though MacPorts unsurprisingly uses a different place:

$ openssl info -configdir
/opt/local/libexec/openssl3/etc/openssl
$ sudo mkdir /opt/local/libexec/openssl3/etc/openssl/certs
$ make check PG_TEST_EXTRA=ssl
... success!

So this smells to me like a new OpenSSL bug: they should tolerate
a missing certs dir like they used to.  Who wants to file it?

            regards, tom lane

pgsql-hackers by date:

From: Thomas Munro
Date: 13 April 2023, 00:40:02
Subject: Re: Parallel Full Hash Join

From: Justin Pryzby
Date: 13 April 2023, 00:40:20
Subject: more elogs hit by sqlsmith (Re: amvalidate(): cache lookup failed for operator class 123)

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next