From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Jacob Champion <pchampion(at)vmware(dot)com>, "cam(at)macaroon(dot)net" <cam(at)macaroon(dot)net>, "thomas(at)habets(dot)se" <thomas(at)habets(dot)se> |
Cc: | "stark(at)mit(dot)edu" <stark(at)mit(dot)edu>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2021-09-22 18:59:13 |
Message-ID: | d2cae5e3-cf01-b654-7d5d-2ab77c75eea1@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 9/22/21 2:36 PM, Jacob Champion wrote:
> On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote:
>> Having sslrootcert use the system trust store if
>> ~/.postgresql/root.crt doesn’t exist would seem like a good change.
> Fallback behavior can almost always be exploited given the right
> circumstances. IMO, if I've told psql to use a root cert, it really
> needs to do that and not trust anything else.
>
>> Changing sslmode to default to something else would mostly likely
>> break a ton of existing installations, and there are plenty of use
>> cases were ssl isn’t used. Trying ssl first and without afterwards
>> probably is still a sensible default. However…
> The discussion on changing the sslmode default behavior seems like it
> can be separated from the use of system certificates. Not to shut down
> that branch of the conversation, but is there enough tentative support
> for an "sslrootcert=system" option to move forward with that, while
> also discussing potential changes to the sslmode defaults?
>
> The NSS patchset [1] also deals with this problem. FWIW, it currently
> treats an empty ssldatabase setting as "use the system's (Mozilla's)
> trusted roots".
>
I think we need to be consistent on this. NSS builds and OpenSSL builds
should act the same, mutatis mutandis.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Shruthi Gowda | 2021-09-22 19:06:50 | Re: preserving db/ts/relfilenode OIDs across pg_upgrade (was Re: storing an explicit nonce) |
Previous Message | Jacob Champion | 2021-09-22 18:36:00 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |