Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	April 14, 2023 01:26:19
Msg-id	B2888F53-9983-4A75-A997-E1FBBF74AA72@yesql.se Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Daniel Gustafsson <daniel@yesql.se>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

> On 13 Apr 2023, at 18:42, Daniel Gustafsson <daniel@yesql.se> wrote:

> Regarding the thread; I hope to have a suggestion for a way forward regarding
> the open issue later tonight.

After reading OpenSSL code and documentation, I think the simplest solution is
to explicitly check for X509 errors when OpenSSL reports SSL_ERROR_SYSCALL.
It's not documented why this particular errorcode is used, but AFAICT it's
because while it is a cert verification failure, the cause of it is an IO error
in reading a non-existing file or directory.

The attached diff passes the tests on OpenSSL 1.0.1 through 3.1 as well as on
LibreSSL. Thoughts?

--
Daniel Gustafsson

Attachment

libpq_system_ca_fix.diff

pgsql-hackers by date:

From: Thomas Munro
Date: 14 April 2023, 00:49:14
Subject: Re: Backends stunk in wait event IPC/MessageQueueInternal

From: "Regina Obe"
Date: 14 April 2023, 01:28:10
Subject: RE: [PATCH] Support % wildcard in extension upgrade filenames

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Attachment

Previous

Next