Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: thomas@habets.se, pgsql-hackers@postgresql.org
Date: 2021-09-07T16:58:44Z
Lists: pgsql-hackers
Andrew Dunstan <andrew@dunslane.net> writes: > On 9/7/21 11:47 AM, Tom Lane wrote: >> so I'm coming around to the idea >> that we need to do something. I don't like the details of Thomas' >> proposal though; specifically I don't see a need to invent a new sslmode >> value. I think it should just be "if ~/.postgresql/root.crt doesn't >> exist, use the system's default trust store". > An alternative might be to allow a magic value for sslrootcert, say > "system" which would make it go and look in the system's store wherever > that is, without the user having to know exactly where. OTOH it would > require that the user knows that the system's store is being used, which > might not be a bad thing. Yeah, that would mostly fix the usability concern. I guess what it comes down to is whether you think that public or private certs are likely to be the majority use-case in the long run. The shortage of previous requests for this feature says that right now, just about everyone is using self-signed or private-CA certs for Postgres servers. So it would likely be a long time, if ever, before public-CA certs become the majority use-case. On the other hand, even if I'm using a private CA, there's a lot to be said for adding its root cert to system-level trust stores rather than copying it into individual users' home directories. So I still feel like there's a pretty good case for allowing use of the system store to happen by default. (As I said, I'd always thought that was *already* what would happen.) regards, tom lane
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed