Re: [HACKERS] Possible SSL improvements for a newcomer to tackle - Mailing list pgsql-hackers

From Nico Williams
Subject Re: [HACKERS] Possible SSL improvements for a newcomer to tackle
Date
Msg-id 20171004191031.GU1251@localhost
Whole thread Raw
In response to Re: [HACKERS] Possible SSL improvements for a newcomer to tackle  (Jeff Janes <jeff.janes@gmail.com>)
List pgsql-hackers
On Wed, Oct 04, 2017 at 11:47:45AM -0700, Jeff Janes wrote:
> On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > It's possible that we could adopt some policy like "if the root.crt file
> > exists then default to verify" ... but that seems messy and unreliable,
> > so I'm not sure it would really add any security.
> 
> That is what we do.  If root.crt exists, we default to verify-ca.
> 
> And yes, it is messy and unreliable.  I don't know if it adds any security
> or not.
> 
> Or do you mean we could default to verify-full instead of verify-ca?

I would rather psql defaulted to verify-full and let users deal with
errors by either a) configuring appropriate trust anchors and
provisioning appropriate certificates, or b) disabling verify-full.

Users should know that they are using psql(1) insecurely -- it has to be
obvious.

Yes, this would be a backwards-incompatible change, but security tends
to justify this sort of change.

Another possibility would be to make this default change only applicable
when using postgresql-scheme URIs (which I do, almost religiously --
they are much easier to use than all alternative connection data
specifications).

Nico
-- 


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] Partition-wise join for join between (declaratively)partitioned tables
Next
From: Robert Haas
Date:
Subject: Re: [HACKERS] 64-bit queryId?