Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: thomas@habets.se, Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers@postgresql.org
Date: 2021-09-07T14:16:51Z
Lists: pgsql-hackers
On 9/6/21 6:21 PM, thomas@habets.se wrote: > On Mon, 6 Sep 2021 20:47:37 +0100, Tom Lane <tgl@sss.pgh.pa.us> said: >> I'm confused by your description of this patch. AFAIK, OpenSSL verifies >> against the system-wide CA pool by default. Why do we need to do >> anything? > Experimentally, no it doesn't. Or if it does, then it doesn't verify > the CN/altnames of the cert. > > sslmode=require allows self-signed and name mismatch. > > verify-ca errors out if there is no ~/.postgresql/root.crt. verify-full too. > > It seems that currently postgresql verifies the name if and only if > verify-full is used, and then only against ~/.postgresql/root.crt CA file. > > But could be that I missed a config option? That's my understanding. But can't you specify a CA cert in the system's CA store if necessary? e.g. on my Fedora system I think it's /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed