NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit0b5d1fb

committed

Fix errormessage for missing system CA in OpenSSL 3.1

The error message for a missing or invalid system CA when usingsslrootcert=system differs based on the OpenSSL version used.In OpenSSL 1.0.1-3.0 it is reported as SSL Error, with varyingdegrees of helpfulness in the error message. With OpenSSL 3.1 itis reported as an SSL SYSCALL error with "Undefined error" asthe error message. This fix pulls out the particular error inOpenSSL 3.1 as a certificate verify error in order to help theuser better figure out what happened, and to keep the ssl testworking. While there is no evidence that extracing the errorswill clobber errno, this adds a guard against that regardlessto also make the consistent with how we handle OpenSSL errorselsewhere. It also memorizes the output from OpenSSL 3.0 inthe test in cases where the system CA isn't responding.Reported-by: Peter Eisentraut <peter.eisentraut@enterprisedb.com>Discussion:https://postgr.es/m/c39be3c5-c1a5-1e33-1024-16f527e251a4@enterprisedb.com

1 parent77dedeb commit0b5d1fbCopy full SHA for 0b5d1fb

File tree

2 files changed

+24

-4

lines changed

src
- interfaces/libpq
  - fe-secure-openssl.c
- test/ssl/t
  - 001_ssltests.pl

2 files changed

+24

-4

lines changed

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1489,10 +1489,12 @@ open_client_SSL(PGconn *conn)`
`1489`	`1489`	`{`
`1490`	`1490`	`intr;`
`1491`	`1491`
	`1492`	`+SOCK_ERRNO_SET(0);`
`1492`	`1493`	`ERR_clear_error();`
`1493`	`1494`	`r=SSL_connect(conn->ssl);`
`1494`	`1495`	`if (r <=0)`
`1495`	`1496`	`{`
	`1497`	`+intsave_errno=SOCK_ERRNO;`
`1496`	`1498`	`interr=SSL_get_error(conn->ssl,r);`
`1497`	`1499`	`unsigned longecode;`
`1498`	`1500`
`@@ -1508,10 +1510,26 @@ open_client_SSL(PGconn *conn)`
`1508`	`1510`	`caseSSL_ERROR_SYSCALL:`
`1509`	`1511`	`{`
`1510`	`1512`	`charsebuf[PG_STRERROR_R_BUFLEN];`
`1511`		`-`
`1512`		`-if (r==-1)`
	`1513`	`+unsigned longvcode;`
	`1514`	`+`
	`1515`	`+vcode=SSL_get_verify_result(conn->ssl);`
	`1516`	`+`
	`1517`	`+/*`
	`1518`	`+ * If we get an X509 error here for failing to load the`
	`1519`	`+ * local issuer cert, without an error in the socket layer`
	`1520`	`+ * it means that verification failed due to a missing`
	`1521`	`+ * system CA pool without it being a protocol error. We`
	`1522`	`+ * inspect the sslrootcert setting to ensure that the user`
	`1523`	`+ * was using the system CA pool. For other errors, log them`
	`1524`	`+ * using the normal SYSCALL logging.`
	`1525`	`+ */`
	`1526`	`+if (!save_errno&&vcode==X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY&&`
	`1527`	`+strcmp(conn->sslrootcert,"system")==0)`
	`1528`	`+libpq_append_conn_error(conn,"SSL error: certificate verify failed: %s",`
	`1529`	`+X509_verify_cert_error_string(vcode));`
	`1530`	`+elseif (r==-1)`
`1513`	`1531`	`libpq_append_conn_error(conn,"SSL SYSCALL error: %s",`
`1514`		`-SOCK_STRERROR(SOCK_ERRNO,sebuf,sizeof(sebuf)));`
	`1532`	`+SOCK_STRERROR(save_errno,sebuf,sizeof(sebuf)));`
`1515`	`1533`	`else`
`1516`	`1534`	`libpq_append_conn_error(conn,"SSL SYSCALL error: EOF detected");`
`1517`	`1535`	`pgtls_close(conn);`

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -476,10 +476,12 @@ sub switch_server_cert`
`476`	`476`	`"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=system hostaddr=$SERVERHOSTADDR";`
`477`	`477`
`478`	`478`	`# By default our custom-CA-signed certificate should not be trusted.`
	`479`	`+# OpenSSL 3.0 reports a missing/invalid system CA as "unregistered schema"`
	`480`	`+# instead of a failed certificate verification.`
`479`	`481`	`$node->connect_fails(`
`480`	`482`	`"$common_connstr sslmode=verify-full host=common-name.pg-ssltest.test",`
`481`	`483`	`"sslrootcert=system does not connect with private CA",`
`482`		`-expected_stderr=>qr/SSL error: certificate verify failed/);`
	`484`	`+expected_stderr=>qr/SSL error:(certificate verify failed\|unregistered scheme)/);`
`483`	`485`
`484`	`486`	`# Modes other than verify-full cannot be mixed with sslrootcert=system.`
`485`	`487`	`$node->connect_fails(`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0b5d1fb

File tree

2 files changed

2 files changed

`‎src/interfaces/libpq/fe-secure-openssl.c`

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments