Re: Usage of the system truststore for SSL certificate validation

If we're going to open this up, can we add an option to say "this key is
allowed to log in to this account", SSH style?

I like the idea of using keys rather than .pgpass, but I like the
~/.ssh/authorized_keys model and don't like the "set up an entire
certificate infrastructure" approach.

On Thu, 19 Sep 2019 at 10:54, Thomas Berger <thomas(dot)berger(at)1und1(dot)de> wrote:

> Hi,
>
> currently, libpq does SSL cerificate validation only against the defined
> `PGSSLROOTCERT` file.
>
> Is there any specific reason, why the system truststore ( at least under
> unixoid systems) is not considered for the validation?
>
> We would like to contribute a patch to allow certificate validation
> against
> the system truststore. Are there any opinions against it?
>
>
> A little bit background for this:
>
> Internally we sign the certificates for our systems with our own CA. The
> CA
> root certificates and revocation lists are distributed via puppet and/or
> packages on all of our internal systems.
>
> Validating the certificate against this CA requires to either override the
> PGSSLROOTCERT location via the environment or provide a copy of the file
> for
> each user that connects with libpq or libpq-like connectors.
>
> We would like to simplify this.
>
>
> --
> Thomas Berger
>
> PostgreSQL DBA
> Database Operations
>
> 1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany
>
>
>