Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date
Msg-id 038b20792eeefb1867fe67ddffe490c4a2650294.camel@vmware.com
Whole thread Raw
In response to Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Cameron Murdoch <cam@macaroon.net>)
Responses Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
List pgsql-hackers
On Sat, 2021-09-18 at 14:20 +0200, Cameron Murdoch wrote:
> Having sslrootcert use the system trust store if
> ~/.postgresql/root.crt doesn’t exist would seem like a good change.

Fallback behavior can almost always be exploited given the right
circumstances. IMO, if I've told psql to use a root cert, it really
needs to do that and not trust anything else.

> Changing sslmode to default to something else would mostly likely
> break a ton of existing installations, and there are plenty of use
> cases were ssl isn’t used. Trying ssl first and without afterwards
> probably is still a sensible default. However…

The discussion on changing the sslmode default behavior seems like it
can be separated from the use of system certificates. Not to shut down
that branch of the conversation, but is there enough tentative support
for an "sslrootcert=system" option to move forward with that, while
also discussing potential changes to the sslmode defaults?

The NSS patchset [1] also deals with this problem. FWIW, it currently
treats an empty ssldatabase setting as "use the system's (Mozilla's)
trusted roots".

--Jacob

[1] https://www.postgresql.org/message-id/flat/FAB21FC8-0F62-434F-AA78-6BD9336D630A@yesql.se

pgsql-hackers by date:

Previous
From: Marcos Pegoraro
Date:
Subject: Re: logical replication restrictions
Next
From: Andrew Dunstan
Date:
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert