On Wed, Oct 04, 2017 at 11:47:45AM -0700, Jeff Janes wrote:
> On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > It's possible that we could adopt some policy like "if the root.crt file
> > exists then default to verify" ... but that seems messy and unreliable,
> > so I'm not sure it would really add any security.
>
> That is what we do. If root.crt exists, we default to verify-ca.
>
> And yes, it is messy and unreliable. I don't know if it adds any security
> or not.
>
> Or do you mean we could default to verify-full instead of verify-ca?
I would rather psql defaulted to verify-full and let users deal with
errors by either a) configuring appropriate trust anchors and
provisioning appropriate certificates, or b) disabling verify-full.
Users should know that they are using psql(1) insecurely -- it has to be
obvious.
Yes, this would be a backwards-incompatible change, but security tends
to justify this sort of change.
Another possibility would be to make this default change only applicable
when using postgresql-scheme URIs (which I do, almost religiously --
they are much easier to use than all alternative connection data
specifications).
Nico
--
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers