Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: thomas@habets.se, Andrew Dunstan <andrew@dunslane.net>,
pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2022-10-25T00:03:23Z
Lists: pgsql-hackers
Attachments
- v2-0002-libpq-default-to-verify-full-for-system-CAs.patch (text/x-patch) patch v2-0002
- v2-0001-libpq-add-sslrootcert-system-to-use-default-CAs.patch (text/x-patch) patch v2-0001
On Mon, Oct 4, 2021 at 9:14 PM Bruce Momjian <bruce@momjian.us> wrote: > On Tue, Sep 28, 2021 at 02:54:39AM -0700, thomas@habets.se wrote: > > And you say for complex setups. Fair enough. But currently I'd say the > > default is wrong, and what should be default is not configurable. > > Agreed, I think this needs much more discussion and documentation. I'd like to try to get this conversation started again. To pique interest I've attached a new version of 0001, which implements `sslrootcert=system` instead as suggested upthread. In 0002 I went further and switched the default sslmode to `verify-full` when using the system CA roots, because I feel pretty strongly that anyone interested in using public CA systems is also interested in verifying hostnames. (Otherwise, why make the switch?) Notes: - 0001, like Thomas' original patch, uses SSL_CTX_set_default_verify_paths(). This will load both a default file and a default directory. This is probably what most people want if they're using the system roots -- just give me whatever the local system wants me to use! -- but sslrootcert currently deals with files only, I think. Is that a problem? - The implementation in 0002 goes all the way down to conninfo_add_defaults(). Maybe this is overly complex. Should I just make sslmode a derived option, via connectOptions2()? Thanks, --Jacob
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed