Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Jacob Champion <pchampion@vmware.com>, "cam@macaroon.net"
<cam@macaroon.net>, "thomas@habets.se" <thomas@habets.se>
Cc: "stark@mit.edu" <stark@mit.edu>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
"tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-09-22T18:59:13Z
Lists: pgsql-hackers
On 9/22/21 2:36 PM, Jacob Champion wrote: > On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote: >> Having sslrootcert use the system trust store if >> ~/.postgresql/root.crt doesn’t exist would seem like a good change. > Fallback behavior can almost always be exploited given the right > circumstances. IMO, if I've told psql to use a root cert, it really > needs to do that and not trust anything else. > >> Changing sslmode to default to something else would mostly likely >> break a ton of existing installations, and there are plenty of use >> cases were ssl isn’t used. Trying ssl first and without afterwards >> probably is still a sensible default. However… > The discussion on changing the sslmode default behavior seems like it > can be separated from the use of system certificates. Not to shut down > that branch of the conversation, but is there enough tentative support > for an "sslrootcert=system" option to move forward with that, while > also discussing potential changes to the sslmode defaults? > > The NSS patchset [1] also deals with this problem. FWIW, it currently > treats an empty ssldatabase setting as "use the system's (Mozilla's) > trusted roots". > I think we need to be consistent on this. NSS builds and OpenSSL builds should act the same, mutatis mutandis. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed