On Tue, Nov 1, 2022 at 10:55 AM Jacob Champion <jchamp...@timescale.com> wrote: > On Tue, Nov 1, 2022 at 10:03 AM Jacob Champion <jchamp...@timescale.com> > wrote: > > I'm not familiar with "unregistered scheme" in this context and will > > need to dig in. > > Unfortunately I can't reproduce with 3.0.0 on Ubuntu :(
Sorry, when rereading my own emails I suspect they didn't make much sense to readers. The failure I'm talking about is in cfbot [1], on the Monterey/Meson build, which is using OpenSSL 3.0.0. I unfortunately cannot reproduce this on my own Ubuntu machine. There is an additional test failure with LibreSSL, which doesn't appear to honor the SSL_CERT_FILE environment variable. This isn't a problem in production -- if you're using LibreSSL, you'd presumably understand that you can't use that envvar -- but it makes testing difficult, because I don't yet know a way to tell LibreSSL to use a different set of roots for the duration of a test. Has anyone dealt with this before? > If there are no valuable use cases for weaker checks, then we could go > even further than my 0002 and just reject any weaker sslmodes > outright. That'd be nice. I plan to take this approach in a future v3, with the opinion that it'd be better for this feature to start life as strict as possible. --Jacob [1] https://cirrus-ci.com/task/6176610722775040
