Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "cam@macaroon.net" <cam@macaroon.net>, "thomas@habets.se" <thomas@habets.se>
Cc: "andrew@dunslane.net" <andrew@dunslane.net>, "stark@mit.edu" <stark@mit.edu>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-09-22T18:36:00Z
Lists: pgsql-hackers
On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote: > Having sslrootcert use the system trust store if > ~/.postgresql/root.crt doesn’t exist would seem like a good change. Fallback behavior can almost always be exploited given the right circumstances. IMO, if I've told psql to use a root cert, it really needs to do that and not trust anything else. > Changing sslmode to default to something else would mostly likely > break a ton of existing installations, and there are plenty of use > cases were ssl isn’t used. Trying ssl first and without afterwards > probably is still a sensible default. However… The discussion on changing the sslmode default behavior seems like it can be separated from the use of system certificates. Not to shut down that branch of the conversation, but is there enough tentative support for an "sslrootcert=system" option to move forward with that, while also discussing potential changes to the sslmode defaults? The NSS patchset [1] also deals with this problem. FWIW, it currently treats an empty ssldatabase setting as "use the system's (Mozilla's) trusted roots". --Jacob [1] https://www.postgresql.org/message-id/flat/FAB21FC8-0F62-434F-AA78-6BD9336D630A@yesql.se
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed