| From: | Cameron Murdoch <cam(at)macaroon(dot)net> |
|---|---|
| To: | Greg Stark <stark(at)mit(dot)edu> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, thomas(at)habets(dot)se |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2021-09-17 23:09:49 |
| Message-ID: | CAEKtD7K+6Pxm4C10rdvLMSdW6tBHdDN0GeF5UTWkb0SM_gJAwA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
I manage a bunch of Postgres servers at Oslo University and we use real ssl
certs on all our servers.
I was actually really surprised to discover that the libpq default is
sslmode=require and that the root cert defaults to a file under the user’s
home directory. I have been planning to use our management system
(CFEngine) to globally change the client settings to verify-ca and to use
the system trust store.
So that’s a +1 to use the system cert store for client connections.
I also agree that the proposed patch is not the right way to go as it is
essentially the same as verify-full, and I think that the correct fix would
be to change the default.
Thanks
C
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Korotkov | 2021-09-17 23:24:17 | Re: postgres.h included from relcache.h - but removing it breaks pg_upgrade |
| Previous Message | Alvaro Herrera | 2021-09-17 21:59:24 | Re: Timeout failure in 019_replslot_limit.pl |