| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, thomas(at)habets(dot)se |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Date: | 2021-09-07 16:50:19 |
| Message-ID: | e86fb09a-c787-0b45-3826-feb1b32cfb67@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 9/7/21 11:47 AM, Tom Lane wrote:
>
> This is not how I supposed it worked,
That happens to me more than I usually admit -)
> so I'm coming around to the idea
> that we need to do something. I don't like the details of Thomas'
> proposal though; specifically I don't see a need to invent a new sslmode
> value. I think it should just be "if ~/.postgresql/root.crt doesn't
> exist, use the system's default trust store".
>
>
I agree sslmode is the wrong vehicle.
An alternative might be to allow a magic value for sslrootcert, say
"system" which would make it go and look in the system's store wherever
that is, without the user having to know exactly where. OTOH it would
require that the user knows that the system's store is being used, which
might not be a bad thing.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-09-07 16:58:44 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Previous Message | Tom Lane | 2021-09-07 16:48:27 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |