Re: Possible SSL improvements for a newcomer to tackle

On Tue, Oct 03, 2017 at 09:44:01AM -0400, Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Tue, Oct 3, 2017 at 6:33 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> I'm not an SSL expert, so insert appropriate grain of salt, but AIUI the
> >> question is what are you going to verify against?
>
> > One way to do it would be to default to the "system global certificate
> > store", which is what most other SSL apps do. For example on a typical
> > debian/ubuntu, that'd be the store in /etc/ssl/certs/ca-certificates.crt.
> > Exactly where to find them would be distribution-specific though, and we
> > would need to actually add support for a second certificate store. But that
> > would probably be a useful feature in itself.
>
> Maybe. The impression I have is that it's very common for installations
> to use a locally-run CA to generate server and client certs. I would not
> expect them to put such certs into /etc/ssl/certs. But I suppose there
> might be cases where you would actually pay for a universally-valid cert
> for a DB server ...

No, that is very common. However, in non-enterprise uses it's also very
common for those to be Web PKI certificates, which would be very
inappropriate for use in PG, so I agree that PG should not use the
system trust anchor set by default. PG should just require that a trust
anchor set be configured.

Nico
--