From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | thomas(at)habets(dot)se, Jacob Champion <jchampion(at)timescale(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us> |
Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
Date: | 2022-10-25 14:26:41 |
Message-ID: | 41e936fc-0eaf-106f-58bd-fd1aa78c6687@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2022-10-25 Tu 07:01, thomas(at)habets(dot)se wrote:
> On Tue, 25 Oct 2022 01:03:23 +0100, Jacob Champion
> <jchampion(at)timescale(dot)com> said:
>> I'd like to try to get this conversation started again. To pique
>> interest I've attached a new version of 0001, which implements
>> `sslrootcert=system` instead as suggested upthread. In 0002 I went
>> further and switched the default sslmode to `verify-full` when using
>> the system CA roots, because I feel pretty strongly that anyone
>> interested in using public CA systems is also interested in verifying
>> hostnames. (Otherwise, why make the switch?)
> Yeah I agree that not forcing verify-full when using system CAs is a
> giant foot-gun, and many will stop configuring just until it works.
>
> Is there any argument for not checking hostname when using a CA pool
> for which literally anyone can create a cert that passes?
>
> It makes sense for self-signed, or "don't care", since that provides
> at least protection against passive attacks, but if someone went out
> of their way to get a third party signed cert, then it doesn't.
>
> One downside to this approach is that now one option will change the
> value of another option. For SSL mode (my rejected patch :-) ) that
> makes maybe some more sense.
>
> For users, what is more surprising: A foot-gun that sounds safe, or
> one option that overrides another?
I don't find too much difficulty in having one option's default depend
on another's value, as long as it's documented.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2022-10-25 14:46:49 | Re: Confused about TransactionIdSetTreeStatus |
Previous Message | Tom Lane | 2022-10-25 14:18:57 | Re: Fix gin index cost estimation |