Fix for pgbouncer/pgbouncer#713 (libusual#53)

This is a fix for: pgbouncer/pgbouncer#713 The issue was pretty simple: the CSR was lacking a filled DN section. This was tracked down by reverse-engineering the communication done by Postgres (which works with DataStudio/Looker without any issues) and Postgres via pgbouncer. After comparing packets sent on the handshake to DataStudio/Looker by those two, I was able to provide a small fix resolving the linked issue.
toofishes · Apr 29, 2024 · f6bab04 · f6bab04
1 parent 7a22315
commit f6bab04
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/usual/tls/tls_server.c b/usual/tls/tls_server.c
@@ -56,6 +56,7 @@ int
 tls_configure_server(struct tls *ctx)
 {
 	EC_KEY *ecdh_key;
+	STACK_OF(X509_NAME) * cert_stack;
 	unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH];
 
 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
@@ -114,6 +115,9 @@ tls_configure_server(struct tls *ctx)
 		goto err;
 	}
 
+	cert_stack = SSL_load_client_CA_file(ctx->config->ca_file);
+    	SSL_CTX_set_client_CA_list(ctx->ssl_ctx, cert_stack);
+
 	return (0);
 
  err: