Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Tom Lane <tgl@sss.pgh.pa.us>, thomas@habets.se
Cc: pgsql-hackers@postgresql.org
Date: 2021-09-07T16:50:19Z
Lists: pgsql-hackers
On 9/7/21 11:47 AM, Tom Lane wrote:
>
> This is not how I supposed it worked, 


That happens to me more than I usually admit -)


> so I'm coming around to the idea
> that we need to do something.  I don't like the details of Thomas'
> proposal though; specifically I don't see a need to invent a new sslmode
> value.  I think it should just be "if ~/.postgresql/root.crt doesn't
> exist, use the system's default trust store".
>
> 			


I agree sslmode is the wrong vehicle.

An alternative might be to allow a magic value for sslrootcert, say
"system" which would make it go and look in the system's store wherever
that is, without the user having to know exactly where. OTOH it would
require that the user knows that the system's store is being used, which
might not be a bad thing.


cheers


andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com




Commits

  1. ci: Remove OpenSSL 3.1 workaround for missing system CA

  2. Fix errormessage for missing system CA in OpenSSL 3.1

  3. Add MacPorts support to src/test/ldap tests.

  4. Allow to use system CA pool for certificate verification