| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, "Gregory Stark (as CFM)" <stark(dot)cfm(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, thomas(at)habets(dot)se, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Jelte Fennema <postgres(at)jeltef(dot)nl> |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2023-04-12 20:52:35 |
| Message-ID: | CAAWbhmiuPShycLkn5_zEx_vk4waY1sf-_21f+FgGk9Y6uRZAmg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
(Peter, your emails are being redirected to spam for me, FYI.
Something about messagingengine.)
On Wed, Apr 12, 2023 at 12:57 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > On 12 Apr 2023, at 21:43, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
> > On 12.04.23 18:54, Jacob Champion wrote:
> >> Peter, you should have a .../etc/openssl(at)3/certs directory somewhere
> >> in your Homebrew installation prefix -- do you, or has Homebrew
> >> removed it by mistake?
> >
> > I don't have that, but I don't have it for openssl(at)1(dot)1 either.
AFAIK this behavior started with 3.x.
> The important bit is that your OPENSSLDIR points to a directory which has the
> content OpenSSL needs.
>
> > I have
> >
> > ~$ ll /usr/local/etc/openssl(at)3
> > total 76
> > drwxr-xr-x 7 peter admin 224 2023-03-08 08:49 misc/
> > lrwxr-xr-x 1 peter admin 27 2023-03-21 13:41 cert.pem -> ../ca-certificates/cert.pem
> > -rw-r--r-- 1 peter admin 412 2023-03-21 13:41 ct_log_list.cnf
> > -rw-r--r-- 1 peter admin 412 2023-03-21 13:41 ct_log_list.cnf.dist
> > -rw-r--r-- 1 peter admin 351 2023-03-08 08:57 fipsmodule.cnf
> > -rw-r--r-- 1 peter admin 12386 2023-03-13 10:49 openssl.cnf
> > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.default
> > -rw-r--r-- 1 peter admin 12292 2023-03-08 08:49 openssl.cnf.dist
> > -rw-r--r-- 1 peter admin 12292 2023-03-21 13:41 openssl.cnf.dist.default
>
> Assuming that's your OPENSSLDIR, then that looks like it should (it's precisely
> what I have).
It surprises me that you can get a successful test with a missing
certs directory. If I remove the workaround in Cirrus, I get the
following error, which looks the same to me:
[20:40:00.253](0.000s) not ok 121 - sslrootcert=system does not
connect with private CA: matches
[20:40:00.253](0.000s) # Failed test 'sslrootcert=system does
not connect with private CA: matches'
# at /Users/admin/pgsql/src/test/ssl/t/001_ssltests.pl line 479.
[20:40:00.253](0.000s) # 'psql: error:
connection to server at "127.0.0.1", port 57681 failed: SSL SYSCALL
error: Undefined error: 0'
# doesn't match '(?^:SSL error: certificate verify failed)'
(That broken error message has changed since 3.0; now it's busted in a
new way as of 3.1, I guess.)
Does the test start passing if you create an empty certs directory? It
still wouldn't explain why Daniel's setup is succeeding...
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-04-12 20:56:48 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Previous Message | Daniel Gustafsson | 2023-04-12 20:29:45 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |