Thread: [GENERAL] debugging SSL connection problems
Is there a way to get libpq to hand over the certificate it gets from the server, so I can inspect it with other tools that give better diagnostic messages? I've tried to scrape it out of the output of "strace -s8192", but since it is binary it is difficult to figure out where it begins and ends within the larger server response method.
Thanks,
Jeff
On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@gmail.com> wrote:
Is there a way to get libpq to hand over the certificate it gets from the server, so I can inspect it with other tools that give better diagnostic messages? I've tried to scrape it out of the output of "strace -s8192", but since it is binary it is difficult to figure out where it begins and ends within the larger server response method.
PQgetssl() or PQsslStruct() should give you the required struct from OpenSSL, which you can then use OpenSSL to inspect. You should be able to use (I think) SSL_get_peer_certificate() to get at it.
(this is what libpq does and stores it in ->peer, but that's a private api. But you can see be-secure-openssl.c for some examples)
On Tue, Jul 11, 2017 at 6:32 AM, Magnus Hagander <magnus@hagander.net> wrote: > On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@gmail.com> wrote: >> Is there a way to get libpq to hand over the certificate it gets from the >> server, so I can inspect it with other tools that give better diagnostic >> messages? I've tried to scrape it out of the output of "strace -s8192", but >> since it is binary it is difficult to figure out where it begins and ends >> within the larger server response method. >> > > PQgetssl() or PQsslStruct() should give you the required struct from > OpenSSL, which you can then use OpenSSL to inspect. You should be able to > use (I think) SSL_get_peer_certificate() to get at it. Yes that will work. The SSL context stored in PGconn offers enough entry point to access all the SSL-related data. -- Michael