Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: thomas(at)habets(dot)se, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date: 2021-09-07 16:48:27
Message-ID: 3203331.1631033307@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> You don't have to copy anything to achieve what you want. Just set the
> sslrootcert parameter of your connection to point to the system file. e.g.

> psql "sslmode=verify-full sslrootcert=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ..."

While that does work for me, it seems pretty OS-specific and
user-unfriendly. Why should ordinary users need to know that
much about their platform's OpenSSL installation?

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2021-09-07 16:50:19 Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Previous Message Amul Sul 2021-09-07 16:32:32 Re: [Patch] ALTER SYSTEM READ ONLY