Quick Links

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From:	Daniel Gustafsson <daniel(at)yesql(dot)se>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, Jacob Champion <jchampion(at)timescale(dot)com>, "Gregory Stark (as CFM)" <stark(dot)cfm(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, thomas(at)habets(dot)se, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Jelte Fennema <postgres(at)jeltef(dot)nl>
Subject:	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date:	2023-04-13 23:09:55
Message-ID:	DB94E29B-DCEA-443B-A4F1-14C4E01F5066@yesql.se
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

> On 14 Apr 2023, at 00:52, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
>> The attached diff passes the tests on OpenSSL 1.0.1 through 3.1 as well as on
>> LibreSSL. Thoughts?
>
> 1. You can't assume that errno starts out zero, unless you zero it
> right before SSL_connect.

Maybe we should do that regardless of this? We do for reading and writing but
not in open_client_SSL, and I can't off the top of my head think of a good
reason not to?

> 2. I wonder whether it's safe to assume that errno (a/k/a SOCK_ERRNO)
> can't be clobbered by SSL_get_verify_result.
>
> 3. It seems weird to refer to errno directly just a couple lines away
> from where we refer to it via SOCK_ERRNO. Will this even compile
> on Windows?

Good points, it should of course be SOCK_ERRNO. The attached saves off errno
and reinstates it to avoid clobbering. Will test it on Windows in the morning
as well.

--
Daniel Gustafsson

Attachment	Content-Type	Size
libpq_system_ca_fix_v2.diff	application/octet-stream	1.4 KB

In response to

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert at 2023-04-13 22:52:20 from Tom Lane

Responses

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert at 2023-04-13 23:27:45 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Paquier	2023-04-13 23:14:07	Re: User functions for building SCRAM secrets
Previous Message	Thomas Munro	2023-04-13 23:05:41	Re: Wrong results from Parallel Hash Full Join