From: | Cameron Murdoch <cam(at)macaroon(dot)net> |
---|---|
To: | Thomas Habets <thomas(at)habets(dot)se> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Greg Stark <stark(at)mit(dot)edu>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2021-09-18 12:20:27 |
Message-ID: | CAEKtD7+giXAhSz_wkmL0FtnuhRSq3tEemCiL2H7xCv-pTpeAUg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, 18 Sep 2021 at 12:57, Thomas Habets <thomas(at)habets(dot)se> wrote:
>
> But these are two changes:
> 1. Actually verify against a CA
> 2. Actually check the CN/altnames
>
> Anything short of "verify-full" is in my view "not checking". Even with a
> private CA this allows for a lot of lateral movement in an org, as if you
> have one cert you have them all, for impersonation purposes.
>
100% agree. I suspect that many postgres users are not completely aware
that by default their ssl connections do not check the CA or CN/altnames.
> Changing such a default is a big change.
>
Agreed. It is going to break existing installs that rely on the current
behaviour.
There are two defaults to worry about here:
sslmode=prefer
sslrootcert=~/.postgresql/root.crt
Having sslrootcert use the system trust store if ~/.postgresql/root.crt
doesn’t exist would seem like a good change.
Changing sslmode to default to something else would mostly likely break a
ton of existing installations, and there are plenty of use cases were ssl
isn’t used. Trying ssl first and without afterwards probably is still a
sensible default. However…
I haven’t completely through this through, but what if the sslmode=prefer
logic was:
1. Try ssl first, with both CA and CN checking (ie same as verify-full)
2. Print warnings appropriate to what type of ssl connection can be made
3. If all else fails, try without ssl.
In other words start with verify-full and downgrade gracefully to prefer,
but actually tell the user that this has happen.
Essentially sslmode=prefer is a type of opportunistic encryption. I’m
suggesting making it try stronger levels of ssl opportunistically. Require,
verify-ca and verify-full can keep their semantics, or rather, they should
all try verify-full first and then downgrade (with warnings logged) to the
level they actually enforce.
Thanks
C
From | Date | Subject | |
---|---|---|---|
Next Message | Tomas Vondra | 2021-09-18 13:18:43 | Re: Gather performance analysis |
Previous Message | Thomas Habets | 2021-09-18 10:57:05 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |