| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Jacob Champion <pchampion(at)vmware(dot)com>, "cam(at)macaroon(dot)net" <cam(at)macaroon(dot)net>, "thomas(at)habets(dot)se" <thomas(at)habets(dot)se>, "stark(at)mit(dot)edu" <stark(at)mit(dot)edu>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2021-09-22 20:12:03 |
| Message-ID: | 1F0B017E-1542-45F0-85C0-0CE40CCCE998@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 22 Sep 2021, at 20:59, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
> I think we need to be consistent on this. NSS builds and OpenSSL builds
> should act the same, mutatis mutandis.
I 100% agree. Different TLS backends should be able use different truststores
etc but once the server is running they must be identical in terms of how they
interact with a connecting client. I've tried hard to match our OpenSSL
implementation when hacking on the NSS support, but no doubt I've slipped up
somewhere so indepth reviews like what Jacob et.al have done is needed (and
very welcome).
--
Daniel Gustafsson https://vmware.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2021-09-22 20:44:35 | Re: Release 14 Schedule |
| Previous Message | Jonathan S. Katz | 2021-09-22 20:04:06 | Re: Release 14 Schedule |