Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Cameron Murdoch
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	September 18, 2021 02:09:49
Msg-id	CAEKtD7K+6Pxm4C10rdvLMSdW6tBHdDN0GeF5UTWkb0SM_gJAwA@mail.gmail.com Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Greg Stark <stark@mit.edu>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
List	pgsql-hackers

Tree view

Hi,

I manage a bunch of Postgres servers at Oslo University and we use real ssl certs on all our servers.

I was actually really surprised to discover that the libpq default is sslmode=require and that the root cert defaults to a file under the user’s home directory. I have been planning to use our management system (CFEngine) to globally change the client settings to verify-ca and to use the system trust store.

So that’s a +1 to use the system cert store for client connections.

I also agree that the proposed patch is not the right way to go as it is essentially the same as verify-full, and I think that the correct fix would be to change the default.

Thanks

pgsql-hackers by date:

From: Greg Stark
Date: 18 September 2021, 00:35:58
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From: Alexander Korotkov
Date: 18 September 2021, 02:24:17
Subject: Re: postgres.h included from relcache.h - but removing it breaks pg_upgrade

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next