Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

> On 3 Apr 2023, at 21:04, Jacob Champion <jchampion(at)timescale(dot)com> wrote:
>
> On Sun, Apr 2, 2023 at 1:36 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>>> On 31 Mar 2023, at 19:59, Jacob Champion <jchampion(at)timescale(dot)com> wrote:
>>> I can make that change; note that it'll also skip some of the new tests
>>> with OpenSSL 1.0.1, where there's no SSL_CTX_set_cert_cb. If that's
>>> acceptable, it should be an easy switch.
>>
>> I'm not sure I follow, AFAICT it's present all the way till 3.1 at least? What
>> am I missing?
>
> I don't see it anywhere in my 1.0.1 setup, and Meson doesn't define
> HAVE_SSL_CTX_SET_CERT_CB when built against it.

Doh, sorry, my bad. I read and wrote 1.0.1 but was thinking about 1.0.2. You
are right, in 1.0.1 that API does not exist. I'm not all too concerned with
skipping this tests on OpenSSL versions that by the time 16 ships are 6 years
EOL - and I'm not convinced that spending meson/autoconf cycles to include them
is warranted.

Longer term I'd want to properly distinguish between LibreSSL and OpenSSL, but
then we should have a bigger discussion on what we want to use these values for.

>>> Is there something we could document that's more helpful than "make sure
>>> your installation isn't broken"?
>>
>> I wonder if there is an openssl command line example for verifying defaults
>> that we can document and refer to?
>
> We could maybe have them connect to a known host:
>
> $ echo Q | openssl s_client -connect postgresql.org:443 -verify_return_error

Something along these lines is probably best, if we do it at all. Needs
sleeping on.

--
Daniel Gustafsson