Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On 9/22/21 2:36 PM, Jacob Champion wrote:
> On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote:
>> Having sslrootcert use the system trust store if
>> ~/.postgresql/root.crt doesn’t exist would seem like a good change.
> Fallback behavior can almost always be exploited given the right
> circumstances. IMO, if I've told psql to use a root cert, it really
> needs to do that and not trust anything else.
>
>> Changing sslmode to default to something else would mostly likely
>> break a ton of existing installations, and there are plenty of use
>> cases were ssl isn’t used. Trying ssl first and without afterwards
>> probably is still a sensible default. However…
> The discussion on changing the sslmode default behavior seems like it
> can be separated from the use of system certificates. Not to shut down
> that branch of the conversation, but is there enough tentative support
> for an "sslrootcert=system" option to move forward with that, while
> also discussing potential changes to the sslmode defaults?
>
> The NSS patchset [1] also deals with this problem. FWIW, it currently
> treats an empty ssldatabase setting as "use the system's (Mozilla's)
> trusted roots".
>

I think we need to be consistent on this. NSS builds and OpenSSL builds
should act the same, mutatis mutandis.

cheers

andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com