Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Поиск
Список
Период
Сортировка
От Cameron Murdoch
Тема Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Дата
Msg-id CAEKtD7K+6Pxm4C10rdvLMSdW6tBHdDN0GeF5UTWkb0SM_gJAwA@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Greg Stark <stark@mit.edu>)
Ответы Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Thomas Habets <thomas@habets.se>)
Список pgsql-hackers
Дерево обсуждения
Hi,

I manage a bunch of Postgres servers at Oslo University and we use real ssl certs on all our servers.

I was actually really surprised to discover that the libpq default is sslmode=require and that the root cert defaults to a file under the user’s home directory. I have been planning to use our management system (CFEngine) to globally change the client settings to verify-ca and to use the system trust store.

So that’s a +1 to use the system cert store for client connections.

I also agree that the proposed patch is not the right way to go as it is essentially the same as verify-full, and I think that the correct fix would be to change the default.

Thanks
C

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Greg Stark
Дата:
Сообщение: Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Следующее
От: Alexander Korotkov
Дата:
Сообщение: Re: postgres.h included from relcache.h - but removing it breaks pg_upgrade