| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | thomas(at)habets(dot)se, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2021-09-07 14:16:51 |
| Message-ID: | 43f39bd0-77e0-d173-f9e1-fec7490ba6e3@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 9/6/21 6:21 PM, thomas(at)habets(dot)se wrote:
> On Mon, 6 Sep 2021 20:47:37 +0100, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> said:
>> I'm confused by your description of this patch. AFAIK, OpenSSL verifies
>> against the system-wide CA pool by default. Why do we need to do
>> anything?
> Experimentally, no it doesn't. Or if it does, then it doesn't verify
> the CN/altnames of the cert.
>
> sslmode=require allows self-signed and name mismatch.
>
> verify-ca errors out if there is no ~/.postgresql/root.crt. verify-full too.
>
> It seems that currently postgresql verifies the name if and only if
> verify-full is used, and then only against ~/.postgresql/root.crt CA file.
>
> But could be that I missed a config option?
That's my understanding. But can't you specify a CA cert in the system's
CA store if necessary? e.g. on my Fedora system I think it's
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | thomas | 2021-09-07 14:57:40 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Previous Message | Tom Lane | 2021-09-07 14:08:30 | Re: Data loss when '"json_populate_recorset" with long column name |