| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, "Gregory Stark (as CFM)" <stark(dot)cfm(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, thomas(at)habets(dot)se, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Jelte Fennema <postgres(at)jeltef(dot)nl> |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2023-04-14 17:34:36 |
| Message-ID: | fea965be-3e9e-95d3-8b24-d80942cc72c6@timescale.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Apr 14, 2023 at 7:20 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> And again with the attachment.
After some sleep... From inspection I think the final EOF branch could
be masked by the new branch, if verification has failed but was already
ignored.
To test that, I tried hanging up on the client partway through the
server handshake, and I got some strange results. With the patch, using
sslmode=require and OpenSSL 1.0.1, I see:
connection to server at "127.0.0.1", port 50859 failed: SSL error:
certificate verify failed: self signed certificate
Which is wrong -- we shouldn't care about the self-signed failure if
we're not using verify-*. I was going to suggest a patch like the following:
> if (r == -1)
> - libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
> - SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
> + {
> + /*
> + * If we get an X509 error here without an error in the
> + * socket layer it means that verification failed without
> + * it being a protocol error. A common cause is trying to
> + * a default system CA which is missing or broken.
> + */
> + if (!save_errno && vcode != X509_V_OK)
> + libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
> + X509_verify_cert_error_string(vcode));
> + else
> + libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
> + SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
> + }
> else
> libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
But then I tested my case against PG15, and I didn't get the EOF message
I expected:
connection to server at "127.0.0.1", port 50283 failed: SSL SYSCALL
error: Success
So it appears that this (hanging up on the client during the handshake)
is _also_ a case where we could get a SYSCALL error with a zero errno,
and my patch doesn't actually fix the misleading error message.
That makes me worried, but I don't really have a concrete suggestion to
make it better, yet. I'm not opposed to pushing this as a fix for the
tests, but I suspect we'll have to iterate on this more.
Thanks,
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Karl O. Pinc | 2023-04-14 17:41:23 | Re: doc: add missing "id" attributes to extension packaging page |
| Previous Message | Tom Lane | 2023-04-14 17:21:33 | Re: Direct I/O |