Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Tom Lane <tgl@sss.pgh.pa.us>, thomas@habets.se
Cc: pgsql-hackers@postgresql.org
Date: 2021-09-07T16:50:19Z
Lists: pgsql-hackers
On 9/7/21 11:47 AM, Tom Lane wrote: > > This is not how I supposed it worked, That happens to me more than I usually admit -) > so I'm coming around to the idea > that we need to do something. I don't like the details of Thomas' > proposal though; specifically I don't see a need to invent a new sslmode > value. I think it should just be "if ~/.postgresql/root.crt doesn't > exist, use the system's default trust store". > > I agree sslmode is the wrong vehicle. An alternative might be to allow a magic value for sslrootcert, say "system" which would make it go and look in the system's store wherever that is, without the user having to know exactly where. OTOH it would require that the user knows that the system's store is being used, which might not be a bad thing. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Commits
-
ci: Remove OpenSSL 3.1 workaround for missing system CA
- c5e4ec293ea5 16.0 landed
-
Fix errormessage for missing system CA in OpenSSL 3.1
- 0b5d1fb36add 16.0 landed
-
Add MacPorts support to src/test/ldap tests.
- 9517e6e1dd60 11.20 landed
-
Allow to use system CA pool for certificate verification
- 8eda73146527 16.0 landed