public inbox for [email protected]
help / color / mirror / Atom feedFrom: Heikki Linnakangas <[email protected]>
To: David Zhang <[email protected]>
To: Pgsql Hackers <[email protected]>
Subject: Re: improve ssl error code, 2147483650
Date: Thu, 7 Mar 2024 18:08:35 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On 07/03/2024 02:12, David Zhang wrote:
> The SSL_CTX_load_verify_locations function in OpenSSL will return NULL
> if there is a system error, such as "No such file or directory" in this
> case:
>
> const char *ERR_reason_error_string(unsigned long e)
> {
> ERR_STRING_DATA d, *p = NULL;
> unsigned long l, r;
>
> if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
> return NULL;
> }
>
> /*
> * ERR_reason_error_string() can't safely return system error strings,
> * since openssl_strerror_r() needs a buffer for thread safety, and we
> * haven't got one that would serve any sensible purpose.
> */
> if (ERR_SYSTEM_ERROR(e))
> return NULL;
That's pretty unfortunate. As typical with OpenSSL, this stuff is not
very well documented, but I think we could do something like this in
SSLerrmessage():
if (ERR_SYSTEM_ERROR(e))
errreason = strerror(ERR_GET_REASON(e));
ERR_SYSTEM_ERROR only exists in OpenSSL 3.0 and above, and the only
documentation I could find was in this one obscure place in the man
pages:
https://www.openssl.org/docs/man3.2/man3/BIO_dgram_get_local_addr_enable.html.
But as a best-effort thing, it would still be better than "SSL error
code 2147483650".
> It would be better to perform a simple SSL file check before passing the
> SSL file to OpenSSL APIs so that the system error can be captured and a
> meaningful message provided to the end user.
That feels pretty ugly. I agree it would catch most of the common
mistakes in practice, so maybe we should just hold our noses and do it
anyway, if the above ERR_SYSTEM_ERROR() method doesn't work.
It's sad that we cannot pass a file descriptor or in-memory copy of the
file contents to those functions.
--
Heikki Linnakangas
Neon (https://neon.tech)
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: improve ssl error code, 2147483650
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox