Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date
Msg-id CAAWbhmi5KEt3icdbXhSN8ALyWVK5cBuJeCOnng91HVc-X31ikQ@mail.gmail.com
Whole thread Raw
In response to Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Magnus Hagander <magnus@hagander.net>)
Responses Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
List pgsql-hackers
On Wed, Jan 11, 2023 at 10:23 AM Magnus Hagander <magnus@hagander.net> wrote:
> Sorry to jump in (very) late in this game. So first, I like this general approach :)

Thanks!

> It feels icky to have to add configure tests just to make a test work. But I guess there isn't really a way around
thatif we want to test the full thing. 

I agree...

> However, shouldn't we be using X509_get_default_cert_file_env() to get the name of the env? Granted it's  unlikely to
beanything else, but if it's an API you're supposed to use. (In an ideal world that function would not return anything
inLibreSSL but I think it does include something, and then just ignores it?) 

I think you're right, but before I do that, is the cure better than
the disease? It seems like that would further complicate a part of the
Perl tests that is already unnecessarily complicated. (The Postgres
code doesn't use the envvar at all.) Unless you already know of an
OpenSSL-alike that doesn't use that same envvar name?

--Jacob



pgsql-hackers by date:

Previous
From: Peter Geoghegan
Date:
Subject: Re: Option to not use ringbuffer in VACUUM, using it in failsafe mode
Next
From: Andres Freund
Date:
Subject: Re: Option to not use ringbuffer in VACUUM, using it in failsafe mode