Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrew Dunstan <andrew@dunslane.net>, thomas@habets.se, pgsql-hackers@postgresql.org
Date: 2021-09-28T01:09:11Z
Lists: pgsql-hackers
On Tue, Sep  7, 2021 at 12:58:44PM -0400, Tom Lane wrote:
> Yeah, that would mostly fix the usability concern.  I guess what it
> comes down to is whether you think that public or private certs are
> likely to be the majority use-case in the long run.  The shortage of
> previous requests for this feature says that right now, just about
> everyone is using self-signed or private-CA certs for Postgres
> servers.  So it would likely be a long time, if ever, before public-CA
> certs become the majority use-case.
> 
> On the other hand, even if I'm using a private CA, there's a lot
> to be said for adding its root cert to system-level trust stores
> rather than copying it into individual users' home directories.
> So I still feel like there's a pretty good case for allowing use
> of the system store to happen by default.  (As I said, I'd always
> thought that was *already* what would happen.)

I don't think public CA's are not a good idea for complex setups since
they open the ability for an external party to create certificates that
are trusted by your server's CA, e.g., certificate authentication.  I
can see public certs being useful for default installs where the client
_only_ wants to verify the server is valid.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.




Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification