Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Поиск
Список
Период
Сортировка
От Daniel Gustafsson
Тема Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Дата
Msg-id B2888F53-9983-4A75-A997-E1FBBF74AA72@yesql.se
обсуждение исходный текст
Ответ на Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Daniel Gustafsson <daniel@yesql.se>)
Ответы Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Список pgsql-hackers
Дерево обсуждения 
> On 13 Apr 2023, at 18:42, Daniel Gustafsson <daniel@yesql.se> wrote:

> Regarding the thread; I hope to have a suggestion for a way forward regarding
> the open issue later tonight.

After reading OpenSSL code and documentation, I think the simplest solution is
to explicitly check for X509 errors when OpenSSL reports SSL_ERROR_SYSCALL.
It's not documented why this particular errorcode is used, but AFAICT it's
because while it is a cert verification failure, the cause of it is an IO error
in reading a non-existing file or directory.

The attached diff passes the tests on OpenSSL 1.0.1 through 3.1 as well as on
LibreSSL. Thoughts?

--
Daniel Gustafsson
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Thomas Munro
Дата:
Сообщение: Re: Backends stunk in wait event IPC/MessageQueueInternal
Следующее
От: "Regina Obe"
Дата:
Сообщение: RE: [PATCH] Support % wildcard in extension upgrade filenames