Re: sslmode=secure by default (Re: Making sslrootcert=system work on Windows psql)

On Thu, Apr 24, 2025 at 5:00 AM Peter Eisentraut <peter(at)eisentraut(dot)org> wrote:
> I'm generally in favor of making sslmode=verify-full the effective
> default somehow.

+many

On Thu, Apr 24, 2025 at 3:53 AM Christoph Berg <myon(at)debian(dot)org> wrote:
> For
> postgresql://-style strings, we would ideally have something like http://
> vs https://, but I am not sure how to squeeze that into the syntax.

Not to derail things too much, but I'd also like a postgress://
scheme, and I've put a little bit of idle thought into it. I think
we'd want it to imply sslnegotiation=direct and sslrootcert=system
(modulo the Windows discussion already in progress), and potentially
make a bunch of stricter decisions about TLS settings to better match
modern practice. The intent would be to have a "browser-strength"
scheme for people who care more about security than about raw
compatibility with older systems, because they're connecting to
someone else's servers on the open Web.

The hardest part, in my opinion, is that we'd have to start following
the RFC concept of "authority". A URL of
"postgress://example.com/db?host=evil.com&hostaddr=..." is outright
dangerous, as is "postgress://example.com/db?sslmode=disable". So if
there's interest in that scheme, I think it should remain a separate
feature from "verify-full by default", because there's a lot more to
figure out.

--Jacob