Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	September 17, 2021 21:53:02
Msg-id	1346301.1631904782@sss.pgh.pa.us Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Greg Stark <stark@mit.edu>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Greg Stark <stark@mit.edu>)
List	pgsql-hackers

Tree view

Greg Stark <stark@mit.edu> writes:
> However I have a different question. Are the system certificates
> intended or general purpose certificates? Do they have their intended
> uses annotated on the certificates? Does SSL Verification have any
> logic deciding which certificates are appropriate for signing servers?

AFAIK, once you've stuck a certificate into the system store, it
will be trusted by every service on your machine.  Most distros
ship system-store contents that are basically just designed for
web browers, because the web is the only widely-applicable use
case.  Like you said, chicken and egg problem.

            regards, tom lane

pgsql-hackers by date:

From: "Bossart, Nathan"
Date: 17 September 2021, 21:50:34
Subject: Re: prevent immature WAL streaming

From: Tom Lane
Date: 17 September 2021, 22:42:59
Subject: Re: right join with partitioned table crash

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next