I previously made one minuscule contribution to the project two years ago. I'm interested in doing some more, and I'm trying to figure out what to focus on. Two SSL-related projects caught my attention:
1)
Allow automatic selection of SSL client certificates from a certificate store (https://www.postgresql.org/message-id/8766.1241799013@sss.pgh.pa.us). It seems relatively straightforward to support an additional file format for key-value pairs in postgresql.crt/.key, and I think this is something I could take on if it's still desired.
2) I was surprised to learn the following from the docs:
>
By default, PostgreSQL will not perform any verification of the server certificate. This means that it is possible to spoof the server identity (for example by modifying a DNS record or by taking over the server IP address) without the client knowing. In order to prevent spoofing, SSL certificate verification must be used.
Is there a technical reason to perform no verification by default? Wouldn't a safer default be desirable?