Allow to use system CA pool for certificate verification
This adds a new option to libpq's sslrootcert, "system", which will load
the system trusted CA roots for certificate verification. This is a more
convenient way to achieve this than pointing to the system CA roots
manually since the location can differ by installation and be locally
adjusted by env vars in OpenSSL.
When sslrootcert is set to system, sslmode is forced to be verify-full
as weaker modes aren't providing much security for public CAs.
Changing the location of the system roots by setting environment vars is
not supported by LibreSSL so the tests will use a heuristic to determine
if the system being tested is LibreSSL or OpenSSL.
The workaround in .cirrus.yml is required to handle a strange interaction
between homebrew and the openssl@3 formula; hopefully this can be removed
in the near future.
The original patch was written by Thomas Habets, which was later revived
by Jacob Champion.
Author: Jacob Champion <jchampion@timescale.com>
Author: Thomas Habets <thomas@habets.se>
Reviewed-by: Jelte Fennema <postgres@jeltef.nl>
Reviewed-by: Andrew Dunstan <andrew@dunslane.net>
Reviewed-by: Magnus Hagander <magnus@hagander.net>
Discussion:
https://www.postgresql.org/message-id/flat/CA%2BkHd%2BcJwCUxVb-Gj_0ptr3_KZPwi3%2B67vK6HnLFBK9MzuYrLA%40mail.gmail.com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/8eda7314652703a2ae30d6c4a69c378f6813a7f2
Modified Files
--------------
.cirrus.yml | 14 +++++-
doc/src/sgml/libpq.sgml | 24 ++++++++++
doc/src/sgml/runtime.sgml | 6 ++-
src/interfaces/libpq/fe-connect.c | 66 +++++++++++++++++++++++++++
src/interfaces/libpq/fe-secure-openssl.c | 29 ++++++++++--
src/interfaces/libpq/t/001_uri.pl | 30 +++++++++++-
src/test/ssl/ssl/server-cn-only+server_ca.crt | 38 +++++++++++++++
src/test/ssl/sslfiles.mk | 6 ++-
src/test/ssl/t/001_ssltests.pl | 43 +++++++++++++++++
9 files changed, 247 insertions(+), 9 deletions(-)