Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: thomas@habets.se
Cc: Andrew Dunstan <andrew@dunslane.net>, pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2021-10-04T21:14:36Z
Lists: pgsql-hackers
On Tue, Sep 28, 2021 at 02:54:39AM -0700, thomas@habets.se wrote: > On Tue, 28 Sep 2021 02:09:11 +0100, Bruce Momjian <bruce@momjian.us> said: > > I don't think public CA's are not a good idea for complex setups since > > they open the ability for an external party to create certificates that > > are trusted by your server's CA, e.g., certificate authentication. > > I'm not arguing for, and in fact would argue against, public CA for > client certs. > > So that's a separate issue. > > Note that mTLS prevents a MITM attack that exposes server data even if > server cert is compromised or re-issued, so if the install is using > client certs (with private CA) then the public CA for server matters > much less. > > You can end up at the wrong server, yes, and provide data as INSERT, > but can't steal or corrupt existing data. > > And you say for complex setups. Fair enough. But currently I'd say the > default is wrong, and what should be default is not configurable. Agreed, I think this needs much more discussion and documentation. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed