On Mon, Jul 10, 2017 at 11:19 PM, Jeff Janes <jeff.janes@xxxxxxxxx> wrote:
Is there a way to get libpq to hand over the certificate it gets from the server, so I can inspect it with other tools that give better diagnostic messages? I've tried to scrape it out of the output of "strace -s8192", but since it is binary it is difficult to figure out where it begins and ends within the larger server response method.
PQgetssl() or PQsslStruct() should give you the required struct from OpenSSL, which you can then use OpenSSL to inspect. You should be able to use (I think) SSL_get_peer_certificate() to get at it.
(this is what libpq does and stores it in ->peer, but that's a private api. But you can see be-secure-openssl.c for some examples)