| From: | Thomas Berger <thomas(dot)berger(at)1und1(dot)de> |
|---|---|
| To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Usage of the system truststore for SSL certificate validation |
| Date: | 2019-09-19 14:54:22 |
| Message-ID: | 3267904.gQGN15cTPc@lxka-fl3lqq2 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
currently, libpq does SSL cerificate validation only against the defined
`PGSSLROOTCERT` file.
Is there any specific reason, why the system truststore ( at least under
unixoid systems) is not considered for the validation?
We would like to contribute a patch to allow certificate validation against
the system truststore. Are there any opinions against it?
A little bit background for this:
Internally we sign the certificates for our systems with our own CA. The CA
root certificates and revocation lists are distributed via puppet and/or
packages on all of our internal systems.
Validating the certificate against this CA requires to either override the
PGSSLROOTCERT location via the environment or provide a copy of the file for
each user that connects with libpq or libpq-like connectors.
We would like to simplify this.
--
Thomas Berger
PostgreSQL DBA
Database Operations
1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2019-09-19 15:00:45 | Re: backup manifests |
| Previous Message | Sergei Kornilov | 2019-09-19 14:46:06 | Re: allow online change primary_conninfo |