Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrew Dunstan <andrew@dunslane.net>, thomas@habets.se, pgsql-hackers@postgresql.org
Date: 2021-09-28T01:09:11Z
Lists: pgsql-hackers
On Tue, Sep 7, 2021 at 12:58:44PM -0400, Tom Lane wrote: > Yeah, that would mostly fix the usability concern. I guess what it > comes down to is whether you think that public or private certs are > likely to be the majority use-case in the long run. The shortage of > previous requests for this feature says that right now, just about > everyone is using self-signed or private-CA certs for Postgres > servers. So it would likely be a long time, if ever, before public-CA > certs become the majority use-case. > > On the other hand, even if I'm using a private CA, there's a lot > to be said for adding its root cert to system-level trust stores > rather than copying it into individual users' home directories. > So I still feel like there's a pretty good case for allowing use > of the system store to happen by default. (As I said, I'd always > thought that was *already* what would happen.) I don't think public CA's are not a good idea for complex setups since they open the ability for an external party to create certificates that are trusted by your server's CA, e.g., certificate authentication. I can see public certs being useful for default installs where the client _only_ wants to verify the server is valid. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed