Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	thomas@habets.se
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	September 7, 2021 01:21:13
Msg-id	CA+kHd+d9+GCfSEj5nNwEru2vd5wbeqeo0AswEAgfG1oqJ0_FyA@mail.gmail.com Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Andrew Dunstan <andrew@dunslane.net>)
List	pgsql-hackers

Tree view

On Mon, 6 Sep 2021 20:47:37 +0100, Tom Lane <tgl@sss.pgh.pa.us> said:
> I'm confused by your description of this patch.  AFAIK, OpenSSL verifies
> against the system-wide CA pool by default.  Why do we need to do
> anything?

Experimentally, no it doesn't. Or if it does, then it doesn't verify
the CN/altnames of the cert.

sslmode=require allows self-signed and name mismatch.

verify-ca errors out if there is no ~/.postgresql/root.crt. verify-full too.

It seems that currently postgresql verifies the name if and only if
verify-full is used, and then only against ~/.postgresql/root.crt CA file.

But could be that I missed a config option?

--
typedef struct me_s {
  char name[]      = { "Thomas Habets" };
  char email[]     = { "thomas@habets.se" };
  char kernel[]    = { "Linux" };
  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
  char pgp[] = { "9907 8698 8A24 F52F 1C2E  87F6 39A4 9EEA 460A 0169" };
  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

pgsql-hackers by date:

From: Peter Geoghegan
Date: 07 September 2021, 00:58:53
Subject: Re: The Free Space Map: Problems and Opportunities

From: Hannu Krosing
Date: 07 September 2021, 02:33:28
Subject: Re: The Free Space Map: Problems and Opportunities

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next