| From: | George MacKerron <george(at)mackerron(dot)co(dot)uk> |
|---|---|
| To: | Christoph Berg <myon(at)debian(dot)org> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Making sslrootcert=system work on Windows psql |
| Date: | 2025-04-03 13:46:42 |
| Message-ID: | CA4CF26D-0E9D-4371-B76E-56C907F2046F@mackerron.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 3 Apr 2025, at 14:28, Christoph Berg <myon(at)debian(dot)org> wrote:
>
> What are the chances of making "use the system/os default CA store"
> the default? "sslmode=require" would then already actually "require" a
> certificate if I'm reading the docs right. This would match user
> expectation for POLA.
Right: the issue at present is that sslmode=require does require a certificate, but IIRC basically any old certificate will do. It doesn’t need to be signed by any particular CA. It doesn’t even need to have the server’s name on it.
> This default could then be pointed at the correct locations (plural)
> on all operating systems. (sslrootcert=system:wincert:otherlocation?)
>
> The "default default" would still be sslmode=prefer so it wouldn't
> break today's normal case. Users of sslmode=require will understand
> that supplying a CA certificate is no longer optional.
>
> Perhaps add a sslmode=require-weak could be added as a workaround.
I would love it if sslmode=require started verifying against OS cert stores and so became secure against MITM attacks. I’d certainly support that. But I would say that’s a much bigger backwards-incompatible change than the one I was asking for. :)
--
George MacKerron
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2025-04-03 13:49:59 | Re: AIX support |
| Previous Message | Srirama Kucherlapati | 2025-04-03 13:45:01 | RE: AIX support |