Home > mailing lists

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Date	September 7, 2021 19:50:19
Msg-id	e86fb09a-c787-0b45-3826-feb1b32cfb67@dunslane.net Whole thread Raw
In response to	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
List	pgsql-hackers

Tree view

On 9/7/21 11:47 AM, Tom Lane wrote:
>
> This is not how I supposed it worked, 

That happens to me more than I usually admit -)

> so I'm coming around to the idea
> that we need to do something.  I don't like the details of Thomas'
> proposal though; specifically I don't see a need to invent a new sslmode
> value.  I think it should just be "if ~/.postgresql/root.crt doesn't
> exist, use the system's default trust store".
>
>             

I agree sslmode is the wrong vehicle.

An alternative might be to allow a magic value for sslrootcert, say
"system" which would make it go and look in the system's store wherever
that is, without the user having to know exactly where. OTOH it would
require that the user knows that the system's store is being used, which
might not be a bad thing.

cheers

andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com

pgsql-hackers by date:

From: Tom Lane
Date: 07 September 2021, 19:48:27
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

From: Tom Lane
Date: 07 September 2021, 19:58:44
Subject: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert - Mailing list pgsql-hackers

Previous

Next