public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: David Zhang <[email protected]>
Cc: Pgsql Hackers <[email protected]>
Subject: Re: improve ssl error code, 2147483650
Date: Thu, 07 Mar 2024 13:10:53 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
David Zhang <[email protected]> writes:
> When configuring SSL on the Postgres server side with the following
> information:
> ssl = on
> ssl_ca_file = 'root_ca.crt'
> ssl_cert_file = 'server-cn-only.crt'
> ssl_key_file = 'server-cn-only.key'
> If a user makes a mistake, for example, accidentally using 'root_ca.crl'
> instead of 'root_ca.crt', Postgres will report an error like the one below:
> FATAL: could not load root certificate file "root_ca.crl": SSL error
> code 2147483650
Interestingly, this works fine for me on RHEL8 (with openssl-1.1.1k):
2024-03-07 12:57:53.432 EST [547522] FATAL: F0000: could not load root certificate file "foo.bar": No such file or directory
2024-03-07 12:57:53.432 EST [547522] LOCATION: be_tls_init, be-secure-openssl.c:306
I do reproduce your problem on Fedora 39 with openssl-3.1.1.
So this seems to be a regression on OpenSSL's part. Maybe
they'll figure out how to fix it sometime; that seems to be
another good argument for not pre-empting their error handling.
regards, tom lane
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: improve ssl error code, 2147483650
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox