Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Поиск
Список
Период
Сортировка
От Jacob Champion
Тема Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Дата
Msg-id CAAWbhmiuPShycLkn5_zEx_vk4waY1sf-_21f+FgGk9Y6uRZAmg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Daniel Gustafsson <daniel@yesql.se>)
Ответы Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
Список pgsql-hackers
Дерево обсуждения 
(Peter, your emails are being redirected to spam for me, FYI.
Something about messagingengine.)

On Wed, Apr 12, 2023 at 12:57 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> > On 12 Apr 2023, at 21:43, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> > On 12.04.23 18:54, Jacob Champion wrote:
> >> Peter, you should have a .../etc/openssl@3/certs directory somewhere
> >> in your Homebrew installation prefix -- do you, or has Homebrew
> >> removed it by mistake?
> >
> > I don't have that, but I don't have it for openssl@1.1 either.

AFAIK this behavior started with 3.x.

> The important bit is that your OPENSSLDIR points to a directory which has the
> content OpenSSL needs.
>
> > I have
> >
> > ~$ ll /usr/local/etc/openssl@3
> > total 76
> > drwxr-xr-x 7 peter admin   224 2023-03-08 08:49 misc/
> > lrwxr-xr-x 1 peter admin    27 2023-03-21 13:41 cert.pem -> ../ca-certificates/cert.pem
> > -rw-r--r-- 1 peter admin   412 2023-03-21 13:41 ct_log_list.cnf
> > -rw-r--r-- 1 peter admin   412 2023-03-21 13:41 ct_log_list.cnf.dist
> > -rw-r--r-- 1 peter admin   351 2023-03-08 08:57 fipsmodule.cnf
> > -rw-r--r-- 1 peter admin 12386 2023-03-13 10:49 openssl.cnf
> > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.default
> > -rw-r--r-- 1 peter admin 12292 2023-03-08 08:49 openssl.cnf.dist
> > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.dist.default
>
> Assuming that's your OPENSSLDIR, then that looks like it should (it's precisely
> what I have).

It surprises me that you can get a successful test with a missing
certs directory. If I remove the workaround in Cirrus, I get the
following error, which looks the same to me:

    [20:40:00.253](0.000s) not ok 121 - sslrootcert=system does not
connect with private CA: matches
    [20:40:00.253](0.000s) #   Failed test 'sslrootcert=system does
not connect with private CA: matches'
    #   at /Users/admin/pgsql/src/test/ssl/t/001_ssltests.pl line 479.
    [20:40:00.253](0.000s) #                   'psql: error:
connection to server at "127.0.0.1", port 57681 failed: SSL SYSCALL
error: Undefined error: 0'
    #     doesn't match '(?^:SSL error: certificate verify failed)'

(That broken error message has changed since 3.0; now it's busted in a
new way as of 3.1, I guess.)

Does the test start passing if you create an empty certs directory? It
still wouldn't explain why Daniel's setup is succeeding...

--Jacob

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Daniel Gustafsson
Дата:
Сообщение: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Следующее
От: Tom Lane
Дата:
Сообщение: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert