Home > mailing lists

Re: Making sslrootcert=system work on Windows psql - Mailing list pgsql-hackers

From	Christoph Berg
Subject	Re: Making sslrootcert=system work on Windows psql
Date	April 3 16:28:12
Msg-id	Z-6M7Dx7s6IX_ipL@msg.df7cb.de Whole thread Raw
In response to	Re: Making sslrootcert=system work on Windows psql (George MacKerron <george@mackerron.co.uk>)
Responses	Re: Making sslrootcert=system work on Windows psql
List	pgsql-hackers

Tree view

Re: George MacKerron
> (3) Any other ideas?

I'm not a fan of "security by adding more connection parameters".

What are the chances of making "use the system/os default CA store"
the default? "sslmode=require" would then already actually "require" a
certificate if I'm reading the docs right. This would match user
expectation for POLA.

This default could then be pointed at the correct locations (plural)
on all operating systems. (sslrootcert=system:wincert:otherlocation?)

The "default default" would still be sslmode=prefer so it wouldn't
break today's normal case. Users of sslmode=require will understand
that supplying a CA certificate is no longer optional.

Perhaps add a sslmode=require-weak could be added as a workaround.

Christoph

pgsql-hackers by date:

From: Jakub Wartak
Date: 03 April, 16:12:38
Subject: Re: Draft for basic NUMA observability

From: Peter Eisentraut
Date: 03 April, 16:32:49
Subject: Re: Update LDAP Protocol in fe-connect.c to v3

Re: Making sslrootcert=system work on Windows psql - Mailing list pgsql-hackers

Previous

Next