Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Jelte Fennema <postgres@jeltef.nl>,
Jacob Champion <jchampion@timescale.com>
Cc: Michael Paquier <michael@paquier.xyz>, thomas@habets.se,
pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>,
Bruce Momjian <bruce@momjian.us>
Date: 2023-01-09T15:40:34Z
Lists: pgsql-hackers
On 2023-01-09 Mo 10:07, Jelte Fennema wrote: > Thanks for clarifying your reasoning. I now agree that ssrootcert=system > is now the best option. Cool, that looks like a consensus. > >>> 2. Should we allow the same approach with ssl_ca_file on the server side, for client cert validation? >> I don't know enough about this use case to implement it safely. We'd >> have to make sure the HBA entry is checking the hostname (so that we >> do the reverse DNS dance), and I guess we'd need to introduce a new >> clientcert verify-* mode? Also, it seems like server operators are >> more likely to know exactly which roots they need, at least compared >> to clients. I agree the feature is useful, but I'm not excited about >> attaching it to this patchset. I'm confused. A client cert might not have a hostname at all, and isn't used to verify the connecting address, but to verify the username. It needs to have a CN/DN equal to the user name of the connection, or that maps to that name via pg_ident.conf. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed