From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | thomas(at)habets(dot)se, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2021-09-07 16:58:44 |
Message-ID: | 3203806.1631033924@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> On 9/7/21 11:47 AM, Tom Lane wrote:
>> so I'm coming around to the idea
>> that we need to do something. I don't like the details of Thomas'
>> proposal though; specifically I don't see a need to invent a new sslmode
>> value. I think it should just be "if ~/.postgresql/root.crt doesn't
>> exist, use the system's default trust store".
> An alternative might be to allow a magic value for sslrootcert, say
> "system" which would make it go and look in the system's store wherever
> that is, without the user having to know exactly where. OTOH it would
> require that the user knows that the system's store is being used, which
> might not be a bad thing.
Yeah, that would mostly fix the usability concern. I guess what it
comes down to is whether you think that public or private certs are
likely to be the majority use-case in the long run. The shortage of
previous requests for this feature says that right now, just about
everyone is using self-signed or private-CA certs for Postgres
servers. So it would likely be a long time, if ever, before public-CA
certs become the majority use-case.
On the other hand, even if I'm using a private CA, there's a lot
to be said for adding its root cert to system-level trust stores
rather than copying it into individual users' home directories.
So I still feel like there's a pretty good case for allowing use
of the system store to happen by default. (As I said, I'd always
thought that was *already* what would happen.)
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Bossart, Nathan | 2021-09-07 17:08:43 | Re: Estimating HugePages Requirements? |
Previous Message | Andrew Dunstan | 2021-09-07 16:50:19 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |