Re: Usage of the system truststore for SSL certificate validation - Mailing list pgsql-hackers

From Ashutosh Sharma
Subject Re: Usage of the system truststore for SSL certificate validation
Date
Msg-id CAE9k0Pm6_T8FpTGGGX79vc8N_K1sLyo55NC8HynhsK=hb0JMzQ@mail.gmail.com
Whole thread Raw
In response to Usage of the system truststore for SSL certificate validation  (Thomas Berger <thomas.berger@1und1.de>)
List pgsql-hackers
This certainly looks like a good addition to me that can be
implemented on both client and server side. It is always good to have
a common location where the list of all the certificates from various
CA's can be placed for validation.

--
With Regards,
Ashutosh Sharma
EnterpriseDB:http://www.enterprisedb.com

On Thu, Sep 19, 2019 at 8:24 PM Thomas Berger <thomas.berger@1und1.de> wrote:
>
> Hi,
>
> currently, libpq does SSL cerificate validation only against the defined
> `PGSSLROOTCERT` file.
>
> Is there any specific reason, why the system truststore ( at least under
> unixoid systems) is not considered for the validation?
>
> We would like to contribute a patch to allow certificate validation against
> the system truststore. Are there any opinions against it?
>
>
> A little bit background for this:
>
> Internally we sign the certificates for our systems with our own CA. The CA
> root certificates and revocation lists are distributed via puppet and/or
> packages on all of our internal systems.
>
> Validating the certificate against this CA requires to either override the
> PGSSLROOTCERT location via the environment or provide a copy of the file for
> each user that connects with libpq or libpq-like connectors.
>
> We would like to simplify this.
>
>
> --
> Thomas Berger
>
> PostgreSQL DBA
> Database Operations
>
> 1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany
>
>



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: WIP: Generic functions for Node types using generated metadata
Next
From: Dilip Kumar
Date:
Subject: Re: dropdb --force