Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: thomas@habets.se, Jacob Champion <jchampion@timescale.com>
Cc: pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>,
Bruce Momjian <bruce@momjian.us>
Date: 2022-10-25T14:26:41Z
Lists: pgsql-hackers
On 2022-10-25 Tu 07:01, thomas@habets.se wrote: > On Tue, 25 Oct 2022 01:03:23 +0100, Jacob Champion > <jchampion@timescale.com> said: >> I'd like to try to get this conversation started again. To pique >> interest I've attached a new version of 0001, which implements >> `sslrootcert=system` instead as suggested upthread. In 0002 I went >> further and switched the default sslmode to `verify-full` when using >> the system CA roots, because I feel pretty strongly that anyone >> interested in using public CA systems is also interested in verifying >> hostnames. (Otherwise, why make the switch?) > Yeah I agree that not forcing verify-full when using system CAs is a > giant foot-gun, and many will stop configuring just until it works. > > Is there any argument for not checking hostname when using a CA pool > for which literally anyone can create a cert that passes? > > It makes sense for self-signed, or "don't care", since that provides > at least protection against passive attacks, but if someone went out > of their way to get a third party signed cert, then it doesn't. > > One downside to this approach is that now one option will change the > value of another option. For SSL mode (my rejected patch :-) ) that > makes maybe some more sense. > > For users, what is more surprising: A foot-gun that sounds safe, or > one option that overrides another? I don't find too much difficulty in having one option's default depend on another's value, as long as it's documented. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed