projects / users / rhaas / postgres.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 77dedeb) | patch
Fix errormessage for missing system CA in OpenSSL 3.1
authorDaniel Gustafsson <[email protected]>
Wed, 19 Apr 2023 10:54:58 +0000 (12:54 +0200)
committerDaniel Gustafsson <[email protected]>
Wed, 19 Apr 2023 10:54:58 +0000 (12:54 +0200)
commit0b5d1fb36adda612bd3d5d032463a6eeb0729237
tree0526f777b9b6ba94fe17d3e01b3ec97fcd85fd44tree
parent77dedeb2c45745f592b504e181fa9d391d9afff0commit | diff
Fix errormessage for missing system CA in OpenSSL 3.1

The error message for a missing or invalid system CA when using
sslrootcert=system differs based on the OpenSSL version used.

In OpenSSL 1.0.1-3.0 it is reported as SSL Error, with varying
degrees of helpfulness in the error message. With OpenSSL 3.1 it
is reported as an SSL SYSCALL error with "Undefined error" as
the error message. This fix pulls out the particular error in
OpenSSL 3.1 as a certificate verify error in order to help the
user better figure out what happened, and to keep the ssl test
working. While there is no evidence that extracing the errors
will clobber errno, this adds a guard against that regardless
to also make the consistent with how we handle OpenSSL errors
elsewhere. It also memorizes the output from OpenSSL 3.0 in
the test in cases where the system CA isn't responding.

Reported-by: Peter Eisentraut <[email protected]>
Discussion: https://postgr.es/m/c39be3c5-c1a5-1e33-1024-16f527e251a4@enterprisedb.com
src/interfaces/libpq/fe-secure-openssl.c diff | blob | blame | history
src/test/ssl/t/001_ssltests.pl diff | blob | blame | history
Robert Haas's development tree.