TLS verification to intermediate trust anchor with psql

From: Miroslav Pankov <miroslav(dot)pankov(at)broadcom(dot)com>
To: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: TLS verification to intermediate trust anchor with psql
Date: 2025-10-21 08:15:29
Message-ID: CAE_nMfJZ71ByBujwbLB5-i423_64rP7kYaUbG9NtfD+rMA040A@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Hi team.

I would like to raise that per RFC 5280 secton 6.1
<https://datatracker.ietf.org/doc/html/rfc5280#section-6.1>, TLS
verification could be established with a trust anchor which is an
intermediate CA and not the root CA in the chain. However, working with
psql CLI, sslmode=verify-ca or verify-full, I need to specify sslrootcert
to a file containing the root CA.

I think the behavior is derived from libpq and openssl. However, I would
like to raise it for a debate on the reasoning and would appreciate the PG
team position on it.

NOTE: I am aware that OS-trust works with sslrootcert=system in PG 16+.

Regards.
Miroslav

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Álvaro Herrera 2025-10-21 08:21:24 Re: postgres access violation in pg_detoast_datum
Previous Message PG Bug reporting form 2025-10-21 07:43:58 BUG #19092: scram_free() will free on address which was not malloc()-ed in pg_scram_mech