> I could not get TLSv1.1+ with that. But I'm working against
> Ubuntu 12.04 default OpenSSL. I'll try with other versions too.
That looks like a Ubuntu 12.04 limitation: http://postimg.org/image/3ju4fu0y1/
I would bet the 1.0.0 version of OpenSSL is less that 1.0.0h:
$ ldd /usr/lib/x86_64-linu
On Sat, Nov 30, 2013 at 03:46:06AM -0500, Jeffrey Walton wrote:
> >> I believe the "standard" way of achieving TLS1.0 and above is to use
> >> the SSLv23_client_method() and then remove the SSL protocols with
> >> SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3. I have to use handwaiving around
> >> "standard"
Hi Marko,
Sorry to go offlist
>> I believe the "standard" way of achieving TLS1.0 and above is to use
>> the SSLv23_client_method() and then remove the SSL protocols with
>> SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3. I have to use handwaiving around
>> "standard" because I don't believe its documen
> According to SSL_set_verify manpage, you are perhaps talking about
> SSL_VERIFY_NONE case? Which has suggestion that you should call
> SSL_get_verify_result if you want to know if cert was valid.
>
> But if SSL_VERIFY_PEER is used, this is not needed.
Oh, man I missed that detail.
Please a
On Fri, Nov 29, 2013 at 06:01:01PM -0500, Jeffrey Walton wrote:
> I know of no other ways to check the result of OpenSSL's chain
> validation. The open question (for me) is where are
> SSL_get_verify_result/X509_V_OK checked? Neither show up in the
> Postgres sources.
According to SSL_set_verify m
Hi Marko,
Forgive me for cherry picking two of these...
> I think Postgres uses SSL_VERIFY_PEER + SSL_set_verify() callback instead.
> At least for me, the psql -d "dbname=foo sslmode=verify-ca" fails
> when cert does not match.
I can't comment on the use of psql. My apologies for my ignorance.
H
Reply to mails in pgsql-bugs:
http://www.postgresql.org/message-id/CAH8yC8mc_2J2UY0Q42WQdWFyaoqT3onG+83Fr=vn46j5+ml...@mail.gmail.com
and
http://www.postgresql.org/message-id/CAH8yC8nZVUyCQznkQd8=ELMM4k_=uxjrjt8yf9v22cy2x_d...@mail.gmail.com
* Default ciphersuite
> I would argue nothing
