Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	October 25, 2022 23:17:05
Msg-id	CAAWbhmhaweeo3-_-DBYM5Knx=kMbc=PoGpCrgBFdjrS0V8X7HQ@mail.gmail.com Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (thomas@habets.se)
List	pgsql-hackers

Tree view

On Tue, Oct 25, 2022 at 4:01 AM <thomas@habets.se> wrote:
> Yeah I agree that not forcing verify-full when using system CAs is a
> giant foot-gun, and many will stop configuring just until it works.
>
> Is there any argument for not checking hostname when using a CA pool
> for which literally anyone can create a cert that passes?

I don't think so. For verify-ca to make any sense, the system CA pool
would need to be very strictly curated, and IMO we already have that
use case covered today.

If there are no valuable use cases for weaker checks, then we could go
even further than my 0002 and just reject any weaker sslmodes
outright. That'd be nice.

--Jacob

pgsql-hackers by date:

From: Justin Pryzby
Date: 25 October 2022, 23:04:01
Subject: Re: GUC values - recommended way to declare the C variables?

From: Jacob Champion
Date: 25 October 2022, 23:20:59
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next