| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Zeus Kronion <zkronion(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Possible SSL improvements for a newcomer to tackle |
| Date: | 2017-10-03 15:05:26 |
| Message-ID: | CABUevEwU2pDowmVkJdAATk8Bf5Amn9c5M6+=Vj8rCiMg-YA1=g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Oct 3, 2017 at 3:51 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Tom,
>
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > > On Tue, Oct 3, 2017 at 6:33 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > >> I'm not an SSL expert, so insert appropriate grain of salt, but AIUI
> the
> > >> question is what are you going to verify against?
> >
> > > One way to do it would be to default to the "system global certificate
> > > store", which is what most other SSL apps do. For example on a typical
> > > debian/ubuntu, that'd be the store in /etc/ssl/certs/ca-
> certificates.crt.
> > > Exactly where to find them would be distribution-specific though, and
> we
> > > would need to actually add support for a second certificate store. But
> that
> > > would probably be a useful feature in itself.
> >
> > Maybe. The impression I have is that it's very common for installations
> > to use a locally-run CA to generate server and client certs. I would not
> > expect them to put such certs into /etc/ssl/certs. But I suppose there
> > might be cases where you would actually pay for a universally-valid cert
> > for a DB server ...
>
> In many larger enterprises, they actually deploy systems with their own
> CA installed into the system global certificate store (possibly removing
> certain other CAs from that set too, and distributing their own version
> of the relevant package that maintains the CA set).
>
I think this is also something that's seen more now than it used to be.
Back when we initially did the SSL support, few people actually did this.
That's not just for this scenario of course -- larger enterprises are much
more likely to *have* proper PKI management today, and if they do then it
will include the Linux boxes.
Bottom line: things in this area has change greatly in the past 10-15 years.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2017-10-03 15:06:08 | Re: SendRowDescriptionMessage() is slow for queries with a lot of columns |
| Previous Message | Craig Ringer | 2017-10-03 14:57:43 | Re: Postgresql gives error that role goes not exists while it exists |