| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Miroslav Pankov <miroslav(dot)pankov(at)broadcom(dot)com> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: TLS verification to intermediate trust anchor with psql |
| Date: | 2025-10-21 20:44:52 |
| Message-ID: | CAOYmi+nynxdrAy_wKp4RCjZxOTjW=Ls_bAJQSxD2Dgns-5a6wg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Tue, Oct 21, 2025 at 6:01 AM Miroslav Pankov
<miroslav(dot)pankov(at)broadcom(dot)com> wrote:
> I would like to raise that per RFC 5280 secton 6.1, TLS verification could be established with a trust anchor which is an intermediate CA and not the root CA in the chain. However, working with psql CLI, sslmode=verify-ca or verify-full, I need to specify sslrootcert to a file containing the root CA.
We can also handle other trust anchors, but the rules for those in
OpenSSL are more complicated than "it exists in sslrootcert". From
[1]:
> A certificate, which may be CA certificate or an end-entity certificate,
> is considered a trust anchor for the intended use if and only if all the
> following conditions hold:
>
> - It is an element of the trust store.
>
> - It does not have a negative trust attribute rejecting the EKU
> associated with the intended purpose.
>
> - It has a positive trust attribute accepting the EKU associated with
> the intended purpose or it does not have any positive trust attribute
> and one of the following compatibility conditions apply: It is
> self-signed or the -partial_chain option is given (which corresponds
> to the X509_V_FLAG_PARTIAL_CHAIN flag being set).
You can add that trust attribute yourself, using `openssl x509`:
$ psql 'sslrootcert=intermediate.crt sslmode=verify-full'
psql: error: connection to server at "127.0.0.1", port 5432 failed:
SSL error: certificate verify failed
$ openssl x509 -addtrust serverAuth -in intermediate.crt -out
trusted_intermediate.crt
$ psql 'sslrootcert=trusted_intermediate.crt sslmode=verify-full'
postgres=#
This new cert looks slightly different from the original: the PEM
contains "BEGIN TRUSTED CERTIFICATE" and contains additional bits at
the end.
That seems easy enough, if underdocumented. I don't imagine that we
want to start setting _PARTIAL_CHAIN, for the same reason OpenSSL
hasn't switched to that by default [2]: this is long-standing behavior
that should probably not catch people by surprise during an upgrade.
(And as Viktor Dukhovni tells it in that thread, he'd have preferred
that self-signed certificates were not trusted by default either, but
obviously that can't be changed now.)
--Jacob
[1] https://docs.openssl.org/master/man1/openssl-verification-options/#trust-anchors
[2] https://github.com/openssl/openssl/issues/7871
| From | Date | Subject | |
|---|---|---|---|
| Next Message | badfilez@gmail.com | 2025-10-22 06:19:37 | Re: PG17.6 wal apply bug (SIGSEGV) |
| Previous Message | David Rowley | 2025-10-21 20:29:15 | Re: Segfault in RI UPDATE CASCADE on partitioned tables with LIKE+ATTACH child (attnum drift) |