This certainly looks like a good addition to me that can be implemented on both client and server side. It is always good to have a common location where the list of all the certificates from various CA's can be placed for validation.
-- With Regards, Ashutosh Sharma EnterpriseDB:http://www.enterprisedb.com On Thu, Sep 19, 2019 at 8:24 PM Thomas Berger <thomas.ber...@1und1.de> wrote: > > Hi, > > currently, libpq does SSL cerificate validation only against the defined > `PGSSLROOTCERT` file. > > Is there any specific reason, why the system truststore ( at least under > unixoid systems) is not considered for the validation? > > We would like to contribute a patch to allow certificate validation against > the system truststore. Are there any opinions against it? > > > A little bit background for this: > > Internally we sign the certificates for our systems with our own CA. The CA > root certificates and revocation lists are distributed via puppet and/or > packages on all of our internal systems. > > Validating the certificate against this CA requires to either override the > PGSSLROOTCERT location via the environment or provide a copy of the file for > each user that connects with libpq or libpq-like connectors. > > We would like to simplify this. > > > -- > Thomas Berger > > PostgreSQL DBA > Database Operations > > 1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany > >
