Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1riHWY-00G9AC-St for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Mar 2024 17:27:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1riHWX-007IfS-8x for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Mar 2024 17:27:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1riHWW-007IfK-Ky for pgsql-hackers@lists.postgresql.org; Thu, 07 Mar 2024 17:27:17 +0000 Received: from tamriel.snowman.net ([2001:470:e38f::11]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1riHWT-003IP3-AQ for pgsql-hackers@lists.postgresql.org; Thu, 07 Mar 2024 17:27:16 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id A7E985F7B7; Thu, 7 Mar 2024 12:27:06 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=snowman.net; s=dkim; t=1709832426; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=46Olut4hqxomiVDopw5jemjDYOMPfZ+ujYCblal7OlA=; b=Z+0vcJBhnEpCdAxTEpF4gNjNSkCxUfwzId+blSHp9f+nM0DVWAFQJqWAL8rgs+uGxslCma XRqAvOj34qWzQD4Wj5BaAoRUERah6JZ9JIE7EFHPny3LqpM0VAFq1y/Nj8eG/MELEfg/Ps 8DNlcWkaG9oVrENAuz9WooblLuCYMYA= Date: Thu, 7 Mar 2024 12:27:06 -0500 From: Stephen Frost To: Heikki Linnakangas Cc: David Zhang , Pgsql Hackers Subject: Re: improve ssl error code, 2147483650 Message-ID: References: <86932ed6-e4b3-44cd-abf2-7f0173dea782@iki.fi> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ziJvP/BYUGzwRdQ0" Content-Disposition: inline In-Reply-To: <86932ed6-e4b3-44cd-abf2-7f0173dea782@iki.fi> User-Agent: Mutt/2.1.4 (2021-12-11) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --ziJvP/BYUGzwRdQ0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Heikki Linnakangas (hlinnaka@iki.fi) wrote: > On 07/03/2024 02:12, David Zhang wrote: > > The SSL_CTX_load_verify_locations function in OpenSSL will return NULL > > if there is a system error, such as "No such file or directory" in this > > case: > >=20 > > const char *ERR_reason_error_string(unsigned long e) > > { > > =A0=A0=A0 ERR_STRING_DATA d, *p =3D NULL; > > =A0=A0=A0 unsigned long l, r; > >=20 > > =A0=A0=A0 if (!RUN_ONCE(&err_string_init, do_err_strings_init)) { > > =A0=A0=A0=A0=A0=A0=A0 return NULL; > > =A0=A0=A0 } > >=20 > > =A0=A0=A0 /* > > =A0=A0=A0=A0 * ERR_reason_error_string() can't safely return system e= rror strings, > > =A0=A0=A0=A0 * since openssl_strerror_r() needs a buffer for thread s= afety, and we > > =A0=A0=A0=A0 * haven't got one that would serve any sensible purpose. > > =A0=A0=A0=A0 */ > > =A0=A0=A0 if (ERR_SYSTEM_ERROR(e)) > > =A0=A0=A0=A0=A0=A0=A0 return NULL; >=20 > That's pretty unfortunate. As typical with OpenSSL, this stuff is not very > well documented, but I think we could do something like this in > SSLerrmessage(): >=20 > if (ERR_SYSTEM_ERROR(e)) > errreason =3D strerror(ERR_GET_REASON(e)); >=20 > ERR_SYSTEM_ERROR only exists in OpenSSL 3.0 and above, and the only > documentation I could find was in this one obscure place in the man pages= : https://www.openssl.org/docs/man3.2/man3/BIO_dgram_get_local_addr_enable.= html. > But as a best-effort thing, it would still be better than "SSL error code > 2147483650". Agreed that it doesn't seem well documented. I was trying to figure out what the 'right' answer here was myself and not having much success. If the above works, then +1 to that. > > It would be better to perform a simple SSL file check before passing the > > SSL file to OpenSSL APIs so that the system error can be captured and a > > meaningful message provided to the end user. >=20 > That feels pretty ugly. I agree it would catch most of the common mistakes > in practice, so maybe we should just hold our noses and do it anyway, if = the > above ERR_SYSTEM_ERROR() method doesn't work. Yeah, seems better to try and handle this the OpenSSL way ... if that's possible to do. > It's sad that we cannot pass a file descriptor or in-memory copy of the f= ile > contents to those functions. Agreed. Thanks! Stephen --ziJvP/BYUGzwRdQ0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEwf6gbxKhD863zrx/7WyKOINHZFUFAmXp+OcACgkQ7WyKOINH ZFX0qQ//QgKc7jLsisl4fOJz3W6FlfhG2Kud4LN9R9U5FY37uCKek/85wc7FYWCx AT0TwiUrriImAz/U+liSQHbE8STT4y+4ZSA0JEGj/IyCrkCoSFjyOWqv4P1wPDat PzWIXQBfWDF9KTH6pijDJK8LZvtDG2EIRc8l4MwMU1ofgDbUNeDD6cdxzT4Lt0rK pceqNABN/5DnCpcttVcru3jXlX8xHDpPmZF4z63VlE9WCP6tFHNNFJU99BuFMd5p 2+6Q9L5LP15yT81OZkL27zlE3a3fBP0ku43N7b51ddqol/tUavGGE+7vX/O3bca/ f4T7qVUgb/4XmjRlUhhP13wgIhRVFklULzwifH4ZRzh8VAqwv/ta99DSepQiucnO jSnZi/eDWiKtfmHTW7Mg71PaYftnxkTQ0s48h3wXoXudbQQEDtL+2eA2LrOZqHvu A4BkXnERYawytH+fvfgOfwnjWr3JPljmmHitFiKjcv89x9d8I1yWORxrkSf5JqiT NUAd2QJy+NgVwb0+b8Gl7ewtbwp30LLzqaiUG3VxI6ZmcjpfUj+7X1Jc6Darsc2c aM5m5caU5i3U1bhc9KC9a1GhMb3eLIB/UsNSks6OB7RLNK5wgScdDRWF30IbIJjW 48Jf+ChV7E+JxZc+dyrGkfxErJCp0M1T1sf8sd4JMkhvmhWFxFw= =hvJT -----END PGP SIGNATURE----- --ziJvP/BYUGzwRdQ0--