Re: Making sslrootcert=system work on Windows psql
| От | Christoph Berg |
|---|---|
| Тема | Re: Making sslrootcert=system work on Windows psql |
| Дата | |
| Msg-id | Z-6M7Dx7s6IX_ipL@msg.df7cb.de обсуждение исходный текст |
| Ответ на | Re: Making sslrootcert=system work on Windows psql (George MacKerron <george@mackerron.co.uk>) |
| Ответы |
Re: Making sslrootcert=system work on Windows psql
|
| Список | pgsql-hackers |
Re: George MacKerron > (3) Any other ideas? I'm not a fan of "security by adding more connection parameters". What are the chances of making "use the system/os default CA store" the default? "sslmode=require" would then already actually "require" a certificate if I'm reading the docs right. This would match user expectation for POLA. This default could then be pointed at the correct locations (plural) on all operating systems. (sslrootcert=system:wincert:otherlocation?) The "default default" would still be sslmode=prefer so it wouldn't break today's normal case. Users of sslmode=require will understand that supplying a CA certificate is no longer optional. Perhaps add a sslmode=require-weak could be added as a workaround. Christoph
В списке pgsql-hackers по дате отправления: