Re: sslmode=secure by default (Re: Making sslrootcert=system work on Windows psql)

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Christoph Berg <myon@debian.org>, George MacKerron <george@mackerron.co.uk>, Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-04-24T16:45:50Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Clarify the system value for sslrootcert

On Thu, Apr 24, 2025 at 5:00 AM Peter Eisentraut <peter@eisentraut.org> wrote:
> I'm generally in favor of making sslmode=verify-full the effective
> default somehow.

+many

On Thu, Apr 24, 2025 at 3:53 AM Christoph Berg <myon@debian.org> wrote:
> For
> postgresql://-style strings, we would ideally have something like http://
> vs https://, but I am not sure how to squeeze that into the syntax.

Not to derail things too much, but I'd also like a postgress://
scheme, and I've put a little bit of idle thought into it. I think
we'd want it to imply sslnegotiation=direct and sslrootcert=system
(modulo the Windows discussion already in progress), and potentially
make a bunch of stricter decisions about TLS settings to better match
modern practice. The intent would be to have a "browser-strength"
scheme for people who care more about security than about raw
compatibility with older systems, because they're connecting to
someone else's servers on the open Web.

The hardest part, in my opinion, is that we'd have to start following
the RFC concept of "authority". A URL of
"postgress://example.com/db?host=evil.com&hostaddr=..." is outright
dangerous, as is "postgress://example.com/db?sslmode=disable". So if
there's interest in that scheme, I think it should remain a separate
feature from "verify-full by default", because there's a lot more to
figure out.

--Jacob