Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From: Jelte Fennema <postgres(at)jeltef(dot)nl>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Jacob Champion <jchampion(at)timescale(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, thomas(at)habets(dot)se, pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date: 2023-01-06 14:28:03
Message-ID: CAGECzQS9D36xZZKNmWfCPhzwga=L8UKpVD7FR=bk-e6AWR7a_Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> One reason might be that it doesn't give you any way not to fall back on
> the system store.

To not fall back to the system store you could still provide the exact path
to the CA cert file.

> +1 for doing this, although I think client certs are less likely to have
> been issued by a public CA.

I totally agree that it's less likely. And I definitely don't want to block this
patch on this feature. Especially since configuring your database server
is much easier than configuring ALL the clients that ever connect to your
database.

However, I would like to give a use case where use public CA signed
client authentication can make sense:
Authenticating different nodes in a citus cluster to each other. If such
nodes already have a public CA signed certificate for their hostname
to attest their identity for regular clients, then you can set up client
side auth on each of the nodes so that each node in the
cluster can connect as any user to each of the other nodes in
the cluster by authenticating with that same certificate.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2023-01-06 14:40:31 Re: Cygwin cleanup
Previous Message Andrew Dunstan 2023-01-06 13:49:57 Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert