From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | "Gregory Stark (as CFM)" <stark(dot)cfm(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, thomas(at)habets(dot)se, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Jelte Fennema <postgres(at)jeltef(dot)nl> |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2023-04-03 19:04:50 |
Message-ID: | CAAWbhmhUV+84fMOy7GRebyy-1ZEcT_9F5M2Tc_XjOARFbZjEWQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sun, Apr 2, 2023 at 1:36 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > On 31 Mar 2023, at 19:59, Jacob Champion <jchampion(at)timescale(dot)com> wrote:
> > I can make that change; note that it'll also skip some of the new tests
> > with OpenSSL 1.0.1, where there's no SSL_CTX_set_cert_cb. If that's
> > acceptable, it should be an easy switch.
>
> I'm not sure I follow, AFAICT it's present all the way till 3.1 at least? What
> am I missing?
I don't see it anywhere in my 1.0.1 setup, and Meson doesn't define
HAVE_SSL_CTX_SET_CERT_CB when built against it.
> > Is there something we could document that's more helpful than "make sure
> > your installation isn't broken"?
>
> I wonder if there is an openssl command line example for verifying defaults
> that we can document and refer to?
We could maybe have them connect to a known host:
$ echo Q | openssl s_client -connect postgresql.org:443 -verify_return_error
Alternatively, OpenSSL will show you the OPENSSLDIR:
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
and then we could tell users to ensure they have a populated certs/
directory or a cert.pem file underneath it. That'll be prone to rot,
though (e.g. OpenSSL 3 introduces the default store in addition to the
default file+directory).
Thanks,
--Jacob
From | Date | Subject | |
---|---|---|---|
Next Message | Jeff Davis | 2023-04-03 19:05:29 | Re: running logical replication as the subscription owner |
Previous Message | Andres Freund | 2023-04-03 19:00:30 | Re: hio.c does visibilitymap_pin()/IO while holding buffer lock |