Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Поиск
Список
Период
Сортировка
От Jacob Champion
Тема Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Дата
Msg-id CAAWbhmhaweeo3-_-DBYM5Knx=kMbc=PoGpCrgBFdjrS0V8X7HQ@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (thomas@habets.se)
Список pgsql-hackers
Дерево обсуждения 
On Tue, Oct 25, 2022 at 4:01 AM <thomas@habets.se> wrote:
> Yeah I agree that not forcing verify-full when using system CAs is a
> giant foot-gun, and many will stop configuring just until it works.
>
> Is there any argument for not checking hostname when using a CA pool
> for which literally anyone can create a cert that passes?

I don't think so. For verify-ca to make any sense, the system CA pool
would need to be very strictly curated, and IMO we already have that
use case covered today.

If there are no valuable use cases for weaker checks, then we could go
even further than my 0002 and just reject any weaker sslmodes
outright. That'd be nice.

--Jacob

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Justin Pryzby
Дата:
Сообщение: Re: GUC values - recommended way to declare the C variables?
Следующее
От: Jacob Champion
Дата:
Сообщение: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert