> On 25 Nov 2021, at 14:39, Joshua Brindle <joshua.brin...@crunchydata.com> > wrote: > On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle > <joshua.brin...@crunchydata.com> wrote: >> >> On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle >> <joshua.brin...@crunchydata.com> wrote:
>> I don't know enough about NSS to know if this is problematic or not >> but if I try verify-full without having the root CA in the certificate >> store I get: >> >> $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres" >> psql: error: SSL error: Issuer certificate is invalid. >> unable to shut down NSS context: NSS could not shutdown. Objects are >> still in use. Fixed. > Something is strange with ssl downgrading and a bad ssldatabase > [postgres@11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops > sslcert=client_cert host=localhost" > Password for user postgres: > > <freezes here> Also fixed. > On the server side: > 2021-11-25 01:52:01.984 UTC [269] LOG: unable to handshake: > Encountered end of file (PR_END_OF_FILE_ERROR) This is normal and expected, but to make it easier on users I've changed this error message to be aligned with the OpenSSL implementation. > Other than that and I still haven't tested --with-llvm I've gotten > everything working, including with an openssl client. Attached is a > dockerfile that gets to the point where a client can connect with > clientcert=verify-full. I've removed some of the old cruft and > debugging from the previous versions. Very cool, thanks! I've been unable to reproduce any issues with llvm but I'll keep poking at that. A new version will be posted shortly with the above and a few more fixes. -- Daniel Gustafsson https://vmware.com/
