Magnus Hagander <mag...@hagander.net> writes: > On Tue, Oct 3, 2017 at 6:33 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> I'm not an SSL expert, so insert appropriate grain of salt, but AIUI the >> question is what are you going to verify against?
> One way to do it would be to default to the "system global certificate > store", which is what most other SSL apps do. For example on a typical > debian/ubuntu, that'd be the store in /etc/ssl/certs/ca-certificates.crt. > Exactly where to find them would be distribution-specific though, and we > would need to actually add support for a second certificate store. But that > would probably be a useful feature in itself. Maybe. The impression I have is that it's very common for installations to use a locally-run CA to generate server and client certs. I would not expect them to put such certs into /etc/ssl/certs. But I suppose there might be cases where you would actually pay for a universally-valid cert for a DB server ... regards, tom lane -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers