| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | David Zhang <david(dot)zhang(at)highgo(dot)ca> |
| Cc: | Pgsql Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: improve ssl error code, 2147483650 |
| Date: | 2024-03-07 18:10:53 |
| Message-ID: | 548941.1709835053@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
David Zhang <david(dot)zhang(at)highgo(dot)ca> writes:
> When configuring SSL on the Postgres server side with the following
> information:
> ssl = on
> ssl_ca_file = 'root_ca.crt'
> ssl_cert_file = 'server-cn-only.crt'
> ssl_key_file = 'server-cn-only.key'
> If a user makes a mistake, for example, accidentally using 'root_ca.crl'
> instead of 'root_ca.crt', Postgres will report an error like the one below:
> FATAL: could not load root certificate file "root_ca.crl": SSL error
> code 2147483650
Interestingly, this works fine for me on RHEL8 (with openssl-1.1.1k):
2024-03-07 12:57:53.432 EST [547522] FATAL: F0000: could not load root certificate file "foo.bar": No such file or directory
2024-03-07 12:57:53.432 EST [547522] LOCATION: be_tls_init, be-secure-openssl.c:306
I do reproduce your problem on Fedora 39 with openssl-3.1.1.
So this seems to be a regression on OpenSSL's part. Maybe
they'll figure out how to fix it sometime; that seems to be
another good argument for not pre-empting their error handling.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michail Nikolaev | 2024-03-07 18:36:53 | Re: Revisiting {CREATE INDEX, REINDEX} CONCURRENTLY improvements |
| Previous Message | Nathan Bossart | 2024-03-07 17:59:55 | Re: Popcount optimization using AVX512 |