subject:"\[GENERAL\] debugging SSL connection problems"

Re: [GENERAL] debugging SSL connection problems

2017-07-11 Thread Michael Paquier

On Tue, Jul 11, 2017 at 6:32 AM, Magnus Hagander  wrote:
> On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes  wrote:
>> Is there a way to get libpq to hand over the certificate it gets from the
>> server, so I can inspect it with other tools that give better diagnostic
>> messages?  I've tried to scrape it out of the output of "strace -s8192", but
>> since it is binary it is difficult to figure out where it begins and ends
>> within the larger server response method.
>>
>
> PQgetssl() or PQsslStruct() should give you the required struct from
> OpenSSL, which you can then use OpenSSL to inspect. You should be able to
> use (I think) SSL_get_peer_certificate() to get at it.

Yes that will work. The SSL context stored in PGconn offers enough
entry point to access all the SSL-related data.
-- 
Michael


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] debugging SSL connection problems

2017-07-10 Thread Magnus Hagander

On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes  wrote:

>
> Is there a way to get libpq to hand over the certificate it gets from the
> server, so I can inspect it with other tools that give better diagnostic
> messages?  I've tried to scrape it out of the output of "strace -s8192",
> but since it is binary it is difficult to figure out where it begins and
> ends within the larger server response method.
>
>
PQgetssl() or PQsslStruct() should give you the required struct from
OpenSSL, which you can then use OpenSSL to inspect. You should be able to
use (I think) SSL_get_peer_certificate() to get at it.

(this is what libpq does and stores it in ->peer, but that's a private api.
But you can see be-secure-openssl.c for some examples)

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ 
 Work: https://www.redpill-linpro.com/

[GENERAL] debugging SSL connection problems

2017-07-10 Thread Jeff Janes

Is there a way to get libpq to hand over the certificate it gets from the
server, so I can inspect it with other tools that give better diagnostic
messages?  I've tried to scrape it out of the output of "strace -s8192",
but since it is binary it is difficult to figure out where it begins and
ends within the larger server response method.

Thanks,

Jeff

Re: [GENERAL] debugging SSL connection problems

Re: [GENERAL] debugging SSL connection problems

[GENERAL] debugging SSL connection problems

3 matches

Site Navigation

Mail list logo

Footer information