Re: Possible SSL improvements for a newcomer to tackle

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Zeus Kronion <zkronion(at)gmail(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Possible SSL improvements for a newcomer to tackle
Date: 2017-10-03 04:33:00
Message-ID: 17344.1507005180@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Zeus Kronion <zkronion(at)gmail(dot)com> writes:
> 2) I was surprised to learn the following from the docs:

>> By default, PostgreSQL will not perform any verification of the server
>> certificate.

> Is there a technical reason to perform no verification by default? Wouldn't
> a safer default be desirable?

I'm not an SSL expert, so insert appropriate grain of salt, but AIUI the
question is what are you going to verify against? You need some local
notion of which are your trusted root certificates before you can verify
anything. So to default to verification would be to default to failing to
connect at all until user has created a ~/.postgresql/root.crt file with
valid, relevant entries. That seems like a nonstarter.

It's possible that we could adopt some policy like "if the root.crt file
exists then default to verify" ... but that seems messy and unreliable,
so I'm not sure it would really add any security.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2017-10-03 04:35:06 Re: Possible SSL improvements for a newcomer to tackle
Previous Message Tom Lane 2017-10-03 04:21:02 Re: Conversion error