| From: | Nico Williams <nico(at)cryptonector(dot)com> |
|---|---|
| To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Zeus Kronion <zkronion(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Possible SSL improvements for a newcomer to tackle |
| Date: | 2017-10-04 19:10:37 |
| Message-ID: | 20171004191031.GU1251@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 04, 2017 at 11:47:45AM -0700, Jeff Janes wrote:
> On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > It's possible that we could adopt some policy like "if the root.crt file
> > exists then default to verify" ... but that seems messy and unreliable,
> > so I'm not sure it would really add any security.
>
> That is what we do. If root.crt exists, we default to verify-ca.
>
> And yes, it is messy and unreliable. I don't know if it adds any security
> or not.
>
> Or do you mean we could default to verify-full instead of verify-ca?
I would rather psql defaulted to verify-full and let users deal with
errors by either a) configuring appropriate trust anchors and
provisioning appropriate certificates, or b) disabling verify-full.
Users should know that they are using psql(1) insecurely -- it has to be
obvious.
Yes, this would be a backwards-incompatible change, but security tends
to justify this sort of change.
Another possibility would be to make this default change only applicable
when using postgresql-scheme URIs (which I do, almost religiously --
they are much easier to use than all alternative connection data
specifications).
Nico
--
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2017-10-04 19:12:32 | Re: 64-bit queryId? |
| Previous Message | Robert Haas | 2017-10-04 18:54:30 | Re: Partition-wise join for join between (declaratively) partitioned tables |