From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | thomas(at)habets(dot)se |
Cc: | pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2022-11-03 23:39:17 |
Message-ID: | 5682277f-6d27-5c42-3afd-10496b25bff0@timescale.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Nov 1, 2022 at 10:55 AM Jacob Champion <jchampion(at)timescale(dot)com>
wrote:
> On Tue, Nov 1, 2022 at 10:03 AM Jacob Champion <jchampion(at)timescale(dot)com> wrote:
> > I'm not familiar with "unregistered scheme" in this context and will
> > need to dig in.
>
> Unfortunately I can't reproduce with 3.0.0 on Ubuntu :(
Sorry, when rereading my own emails I suspect they didn't make much
sense to readers. The failure I'm talking about is in cfbot [1], on the
Monterey/Meson build, which is using OpenSSL 3.0.0. I unfortunately
cannot reproduce this on my own Ubuntu machine.
There is an additional test failure with LibreSSL, which doesn't appear
to honor the SSL_CERT_FILE environment variable. This isn't a problem in
production -- if you're using LibreSSL, you'd presumably understand that
you can't use that envvar -- but it makes testing difficult, because I
don't yet know a way to tell LibreSSL to use a different set of roots
for the duration of a test. Has anyone dealt with this before?
> If there are no valuable use cases for weaker checks, then we could go
> even further than my 0002 and just reject any weaker sslmodes
> outright. That'd be nice.
I plan to take this approach in a future v3, with the opinion that it'd
be better for this feature to start life as strict as possible.
--Jacob
From | Date | Subject | |
---|---|---|---|
Next Message | Ian Lawrence Barwick | 2022-11-03 23:46:02 | Re: ExecRTCheckPerms() and many prunable partitions |
Previous Message | Ian Lawrence Barwick | 2022-11-03 23:37:09 | Re: [PATCH] Expand character set for ltree labels |