Re: sslmode=secure by default (Re: Making sslrootcert=system work on Windows psql)
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Peter Eisentraut <peter@eisentraut.org>, Christoph Berg <myon@debian.org>, George MacKerron <george@mackerron.co.uk>,
Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-25T18:55:40Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Clarify the system value for sslrootcert
- dda1b0603523 16.9 landed
- daa16893faa9 18.0 landed
- c88b36d382eb 17.5 landed
On Thu, Apr 24, 2025 at 3:16 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > Why is this dangerous? As long as we'd validate that the provided cert > by the server is for example.com I can't help but read this as "as long as everyone mitigates the danger, what's the danger?" We won't be the only implementers of any URL schemes we introduce. > I don't see any security problem in > having DNS resolution happen for evil.com, nor in having the IP > addresses hardcoded using hostaddr. I think if we introduce a new scheme with the idea that it's "HTTPS mode", it needs to behave very similarly to HTTPS, so people reason about it correctly in worst-case corner cases. To attack an https:// connection, you need to both steal the server key _and_ get the client to talk to you instead of the real server. And for HTTPS, that second part generally requires hijacking DNS or mounting a successful MITM, not modifying the query. The idea of a query string overriding the //authority is... weird. It breaks the conventions of generic parsers (and I will include "humans" in that group). We're "allowed" to do it, I guess -- it's our scheme, we do it with our existing schemes today, and the IETF isn't going to send spec police to our doors -- but I don't think we should. Thanks, --Jacob