Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Greg Stark
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	September 18, 2021 00:35:58
Msg-id	CAM-w4HO3JAvoZb9LtemyYStuVvGLuF9_HDG9cdU1mq=bZ4UGfg@mail.gmail.com Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Cameron Murdoch <cam@macaroon.net>) Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Andrew Dunstan <andrew@dunslane.net>)
List	pgsql-hackers

Tree view

Hm. Let's Encrypt's FAQ tells me I'm on the right track with that
question but the distinctinos are far more coarse than I was worried
about:


Does Let’s Encrypt issue certificates for anything other than SSL/TLS
for websites?

Let’s Encrypt certificates are standard Domain Validation
certificates, so you can use them for any server that uses a domain
name, like web servers, mail servers, FTP servers, and many more.

Email encryption and code signing require a different type of
certificate that Let’s Encrypt does not issue.


So it sounds like, at least for SSL connections, we should use the
same certificate authorities used to authenticate web sites. If ever
we implemented signed extensions, for example, it might require
different certificates -- I don't know what that means for the SSL
validation rules and the storage for them.

pgsql-hackers by date:

From: Alvaro Herrera
Date: 18 September 2021, 00:22:00
Subject: Re: prevent immature WAL streaming

From: Cameron Murdoch
Date: 18 September 2021, 02:09:49
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next