On Tue, Jul 11, 2017 at 6:32 AM, Magnus Hagander <magnus@hagander.net> wrote:
> On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
>> Is there a way to get libpq to hand over the certificate it gets from the
>> server, so I can inspect it with other tools that give better diagnostic
>> messages? I've tried to scrape it out of the output of "strace -s8192", but
>> since it is binary it is difficult to figure out where it begins and ends
>> within the larger server response method.
>>
>
> PQgetssl() or PQsslStruct() should give you the required struct from
> OpenSSL, which you can then use OpenSSL to inspect. You should be able to
> use (I think) SSL_get_peer_certificate() to get at it.
Yes that will work. The SSL context stored in PGconn offers enough
entry point to access all the SSL-related data.
--
Michael