Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Greg Stark <stark@mit.edu>
From: Greg Stark <stark@mit.edu>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrew Dunstan <andrew@dunslane.net>, thomas@habets.se, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-09-17T21:35:58Z
Lists: pgsql-hackers
Hm. Let's Encrypt's FAQ tells me I'm on the right track with that question but the distinctinos are far more coarse than I was worried about: Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites? Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more. Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue. So it sounds like, at least for SSL connections, we should use the same certificate authorities used to authenticate web sites. If ever we implemented signed extensions, for example, it might require different certificates -- I don't know what that means for the SSL validation rules and the storage for them.
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed