Quick Links

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Greg Stark <stark(at)mit(dot)edu>
Cc:	Andrew Dunstan <andrew(at)dunslane(dot)net>, thomas(at)habets(dot)se, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date:	2021-09-17 18:53:02
Message-ID:	1346301.1631904782@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Greg Stark <stark(at)mit(dot)edu> writes:
> However I have a different question. Are the system certificates
> intended or general purpose certificates? Do they have their intended
> uses annotated on the certificates? Does SSL Verification have any
> logic deciding which certificates are appropriate for signing servers?

AFAIK, once you've stuck a certificate into the system store, it
will be trusted by every service on your machine. Most distros
ship system-store contents that are basically just designed for
web browers, because the web is the only widely-applicable use
case. Like you said, chicken and egg problem.

regards, tom lane

In response to

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert at 2021-09-17 16:53:58 from Greg Stark

Responses

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert at 2021-09-17 21:35:58 from Greg Stark

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Tom Lane	2021-09-17 19:42:59	Re: right join with partitioned table crash
Previous Message	Bossart, Nathan	2021-09-17 18:50:34	Re: prevent immature WAL streaming