>> 1) No roots (but still works for some unknown reason)
>> 2) Explicitly configured corporate roots
>> 3) Explicitly configured corporate roots, AND global roots
>> 4) Global roots (but still works for some unknown reason)
>>
>> Keep in mind that at least Debian distributes a ca-certificates package,
>> and I can't imagine they're alone.
>>
>
> My guess is you'll find both options 1 and 2 fairly often, and 3 and 4
> very seldom.
> (Note that if you configure libpq for no roots, it will accept any
> certificate without verifying the chain)
>
So, if you do nothing special, it's #1? Sounds like the path of least
resistance is no security. Uh oh.
> That's one of the things, yeah, agreed. I meant the internals part only
> as an argument for why you'll see most pg deployments not using global
> certs.
>
> OTOH, if your firewall lets your clients (or even worse - your webserver
> or so) connect out to arbitrary machines on the PostgreSQL port, it can
> easily be argued that you have a lot of homework to do elsewhere as well
> ;-) But that's just a mitigating factor, and not a solution.
>
>
It's hard enough to manage inbound firewall rules. Outbound?
Fuggetaboutit :)
--Dan