Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Greg Stark <stark@mit.edu>
Cc: Andrew Dunstan <andrew@dunslane.net>, thomas@habets.se,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-09-17T18:53:02Z
Lists: pgsql-hackers
Greg Stark <stark@mit.edu> writes: > However I have a different question. Are the system certificates > intended or general purpose certificates? Do they have their intended > uses annotated on the certificates? Does SSL Verification have any > logic deciding which certificates are appropriate for signing servers? AFAIK, once you've stuck a certificate into the system store, it will be trusted by every service on your machine. Most distros ship system-store contents that are basically just designed for web browers, because the web is the only widely-applicable use case. Like you said, chicken and egg problem. regards, tom lane
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed