Magnus Hagander <> writes:
> On Tue, Oct 3, 2017 at 6:33 AM, Tom Lane <> wrote:
>> I'm not an SSL expert, so insert appropriate grain of salt, but AIUI the
>> question is what are you going to verify against?

> One way to do it would be to default to the "system global certificate
> store", which is what most other SSL apps do. For example on a typical
> debian/ubuntu, that'd be the store in /etc/ssl/certs/ca-certificates.crt.
> Exactly where to find them would be distribution-specific though, and we
> would need to actually add support for a second certificate store. But that
> would probably be a useful feature in itself.

Maybe.  The impression I have is that it's very common for installations
to use a locally-run CA to generate server and client certs.  I would not
expect them to put such certs into /etc/ssl/certs.  But I suppose there
might be cases where you would actually pay for a universally-valid cert
for a DB server ...

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to