On Tue, Oct 03, 2017 at 09:44:01AM -0400, Tom Lane wrote: > Magnus Hagander <mag...@hagander.net> writes: > > On Tue, Oct 3, 2017 at 6:33 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > >> I'm not an SSL expert, so insert appropriate grain of salt, but AIUI the > >> question is what are you going to verify against? > > > One way to do it would be to default to the "system global certificate > > store", which is what most other SSL apps do. For example on a typical > > debian/ubuntu, that'd be the store in /etc/ssl/certs/ca-certificates.crt. > > Exactly where to find them would be distribution-specific though, and we > > would need to actually add support for a second certificate store. But that > > would probably be a useful feature in itself. > > Maybe. The impression I have is that it's very common for installations > to use a locally-run CA to generate server and client certs. I would not > expect them to put such certs into /etc/ssl/certs. But I suppose there > might be cases where you would actually pay for a universally-valid cert > for a DB server ...
No, that is very common. However, in non-enterprise uses it's also very common for those to be Web PKI certificates, which would be very inappropriate for use in PG, so I agree that PG should not use the system trust anchor set by default. PG should just require that a trust anchor set be configured. Nico -- -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
