| From: | thomas(at)habets(dot)se |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2021-09-06 22:21:13 |
| Message-ID: | CA+kHd+d9+GCfSEj5nNwEru2vd5wbeqeo0AswEAgfG1oqJ0_FyA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 6 Sep 2021 20:47:37 +0100, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> said:
> I'm confused by your description of this patch. AFAIK, OpenSSL verifies
> against the system-wide CA pool by default. Why do we need to do
> anything?
Experimentally, no it doesn't. Or if it does, then it doesn't verify
the CN/altnames of the cert.
sslmode=require allows self-signed and name mismatch.
verify-ca errors out if there is no ~/.postgresql/root.crt. verify-full too.
It seems that currently postgresql verifies the name if and only if
verify-full is used, and then only against ~/.postgresql/root.crt CA file.
But could be that I missed a config option?
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "thomas(at)habets(dot)se" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hannu Krosing | 2021-09-06 23:33:28 | Re: The Free Space Map: Problems and Opportunities |
| Previous Message | Peter Geoghegan | 2021-09-06 21:58:53 | Re: The Free Space Map: Problems and Opportunities |