debugging SSL connection problems

On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@gmail.com> wrote:

Is there a way to get libpq to hand over the certificate it gets from the
server, so I can inspect it with other tools that give better diagnostic
messages? I've tried to scrape it out of the output of "strace -s8192",
but since it is binary it is difficult to figure out where it begins and
ends within the larger server response method.

PQgetssl() or PQsslStruct() should give you the required struct from
OpenSSL, which you can then use OpenSSL to inspect. You should be able to
use (I think) SSL_get_peer_certificate() to get at it.

(this is what libpq does and stores it in ->peer, but that's a private api.
But you can see be-secure-openssl.c for some examples)

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

On Tue, Jul 11, 2017 at 6:32 AM, Magnus Hagander <magnus@hagander.net> wrote:

On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@gmail.com> wrote:

Is there a way to get libpq to hand over the certificate it gets from the
server, so I can inspect it with other tools that give better diagnostic
messages? I've tried to scrape it out of the output of "strace -s8192", but
since it is binary it is difficult to figure out where it begins and ends
within the larger server response method.

PQgetssl() or PQsslStruct() should give you the required struct from
OpenSSL, which you can then use OpenSSL to inspect. You should be able to
use (I think) SSL_get_peer_certificate() to get at it.

Yes that will work. The SSL context stored in PGconn offers enough
entry point to access all the SSL-related data.
--
Michael

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general